hasn’t published any formal cases against auto dealerships under the Safeguards Rule, the timing of this FAQ was notable given that we saw several dealerships fall victim to ransomware attacks within the past year. It came almost exactly one year after the CDK Global ransomware attack, which disrupted operations at over 15,000 dealerships nationwide. Though the FTC has not stated that the FAQ was issued in response to events like these, it’s reasonable to interpret the publication as a proactive reminder: Dealerships are still very much subject to the Safeguards Rule, and enforcement may simply be a matter of time. STATE LAWS: THE HIDDEN THREAT TO NONCOMPLIANT DEALERS Even if federal enforcement seemed to pause — again, the data doesn’t support that — it wouldn’t mean dealers are in the clear. As of July 2025, 19 U.S. states have passed comprehensive data privacy or cybersecurity protection laws, with most others having some sort of basic protection laws for residents, and many industry-specific ones at the state level. More states are introducing bills every year, and these laws increasingly apply to businesses that collect consumer or employee data. Just weeks ago, Oregon proposed an amendment targeting cybersecurity and data protection responsibilities within the auto industry, starting with manufacturers but potentially extending accountability to dealers. This is a trend worth watching, especially as many of these state laws carry private right of action provisions, enabling consumers to file lawsuits independently of government enforcement. LITIGATION RISK: CLASS ACTIONS AND RANSOMWARE FALLOUT In several high-profile ransomware cases affecting dealerships over the past year, we’ve seen a sharp rise in class action lawsuits filed not only by consumers but also dealership employees whose personal information (including Social Security numbers) was exposed. Even when regulators don’t act, civil litigation can be financially devastating. Cybercriminals are increasingly aware of Safeguards Rule requirements and use them to their advantage. In some cases, attackers have threatened to report noncompliant victims to authorities if ransom demands aren’t met. While this tactic hasn’t been widely seen in auto retail yet, it’s a known trend in other industries and further underscores the importance of timely breach reporting. A PRACTICAL PATH FORWARD Fortunately, there is good news. Most federal and state data protection rules overlap significantly. The FTC Safeguards Rule, state privacy laws and even consumer litigation risk can all be addressed by adopting foundational cybersecurity practices that protect customer and employee data. At OCD Tech, our approach is rooted in the Center for Internet Security (CIS) Controls — a set of prioritized actions developed by experts to reduce risk. We help dealerships build risk-based, evolving information security programs that align with legal requirements but are also practical and scalable. That means no wasted effort — just smart, defensible security strategies. CONCLUSION: FOCUS ON RISK, NOT RHETORIC Dealers don’t need to obsess over political cycles to make smart decisions about cybersecurity. Enforcement data shows that FTC action has remained steady, regardless of administration. More importantly, the risk landscape — ransomware, litigation, state laws — is growing more complex. Rather than guessing what Washington, D.C., will do next, the safer bet is to treat compliance as a business risk, not a regulatory checkbox. The FTC Safeguards Rule isn’t just about rules — it’s about protecting your dealership, your customers and your employees from real and growing threats. To learn more about OCD Tech — SecurePath, please visit securepath.ocd-tech.com or email Robbie Harriman at rharriman@ocd-tech.com. Robbie is director, advisory services at OCD Tech. Robbie joined the firm in May of 2016. Prior to working at OCD Tech, Robbie worked in IT for other companies, including the heavily regulated casino industry. He currently oversees OCD Tech’s Advisory services, which include security assessments as well as government compliance services, including DFARS, NIST and CMMC for organizations in the Defense Industrial Base. Robbie has a diverse range of experience in the IT field, with a deep background in IT systems administration and control areas. Robbie presents regularly at events and contributes to security-related publications. Dealers don’t need to obsess over political cycles to make smart decisions about cybersecurity. WVADA NEWS 28
RkJQdWJsaXNoZXIy ODQxMjUw