Franchise dealers face a variety of challenges in the current automobile market – the transition to electrification, supply chain constraints on vehicles and parts, inflation, rising interest rates, digital retailing, workforce development and an increase in catalytic converter theft – just to name a few. As if those challenges are not enough, another requires immediate attention by GADA members: compliance with the FTC’s Updated Safeguards Rule. The Safeguards Rule has been in effect for nearly 20 years. A federal data security rule requires financial institutions, including dealers, to have measures in place (“safeguards”) to keep customer information secure. The original rule currently requires dealers to develop a system for safeguarding customer data but allows dealers flexibility in determining the size and scope of that system based on a dealer’s individual circumstances. However, the new rule puts several additional requirements on businesses. Why did the FTC update the Safeguards Rule? There have been several high-profile data breaches in recent years. The updated Safeguards Rule puts the onus on businesses to do more to prevent future breaches. When does the updated Safeguards Rule take effect? While some parts of the Safeguards Rule have already taken effect, many of the requirements take effect on Dec. 9, 2022. Dealers must be in compliance by then. What does the updated Safeguards Rule require? A comprehensive analysis of the Rule’s many requirements is beyond the scope of this bulletin (and the author’s expertise). By way of a brief synopsis, the updates Rule requires dealers to: • Designate a qualified individual or service provider to oversee and implement an information security program; • Perform a data systems inventory – essentially an assessment of all systems, including not just DMS and CRM but also websites, computers, cell phones and vehicles in inventory; • Prepare a Written Risk Assessment periodically that categorizes security risks, assesses the adequacy of existing controls on information systems considering those risks, and details how the dealership will manage and mitigate those risks; • Develop a Written Information Security Plan that must ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security or integrity of the system, and protect against unauthorized access to or use of customer information; • Prepare a Written Incident Response Plan to enable the company to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity or availability of customer information; and • Submit Written Reports to the Board of Directors or Senior Leadership of the dealership regarding the information security program and compliance. In addition, dealers must implement technical requirements such as encryption, multi-factor authentication, system monitoring, penetration testing and vulnerability testing. Dealers must also develop procedures for monitoring access to and controls of customer information for secure utilization of software programs, disposing of old customer information; and maintaining system integrity through personnel changes. And dealers are further required to train their employees on these new responsibilities and monitor service providers who can access dealership systems to ensure their compliance. If that all sounds daunting and expensive, it likely will be. But an ounce of prevention is worth more than a pound of the cure, as the old saying goes. The potential costs of not complying include fines of over $46,000 per violation; a loss of cyber insurance; civil liability; harm to the business operations; and reputation. What Should You Do to Prepare? Several resources are available to assist dealers with compliance. HEADLIGHTS ON THE LAW Continued on page 16 UPDATED SAFEGUARDS RULE: Dealers Must Comply by December 9, 2022 Ben Jordan, GADA General Counsel & Director of Governmental Relations ISSUE 1., 2022 15
RkJQdWJsaXNoZXIy MTU2Mjk4Mw==