A New FTC Self-Reporting Requirement Means It’s Time to Check-In with the Safeguards Rule BY SUNNY MAYHALL, THE LDS GROUP T his time last year, dealerships were working to prepare for the summer deadline imposed by the Federal Trade Commission in the Amended Safeguards Rule.¹ Once June 9, 2023, passed, the FTC provided a brief reprieve before announcing in December the finalizing of the Vehicle Shopping Rule, dubbed the “Combating Auto Retail Scams Trade Regulation Rule” or the “CARS Rule.”² While the industry awaits the fate³ of the Vehicle Shopping Rule, an additional amendment to the Safeguards Rule warrants discussion. This amendment was finalized at the end of 2023 when compliance developments were focused on CARS. As of May 13, 2024, automobile dealerships are subject to a customer data breach self-reporting requirement. Specifically, under the latest edit to the Safeguards Rule, dealerships must report to the FTC “notification events.” The FTC defines a “notification event” as “… the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”⁴ Under the amendment, notification events are limited to events involving unencrypted customer information that involve at least 500 customers.5 The amendment should prompt an assessment of whether any dealership customer information exists in unencrypted form post-June 9, 2023. The FTC allows 30 days after the discovery of the event to self-report using a notice form on the FTC website.6 Once any employee, officer or agent has knowledge of the event, the event is deemed known to the entire entity, and the clock begins to run.7 Additionally, the FTC has indicated that it will publish notification events to a public database.8 It goes without saying that publication introduces a risk of reputational harm. The FTC’s new requirement to self-report notification events comes almost one year after the deadline for having an established Information Security Program.9 As you know, the FTC is authorized to initiate enforcement actions against dealers for failing to have a compliant program.10 It’s not a stretch to consider that a self-reported notification event may give rise to a broader audit and enforcement action that looks into an entire Information Security Program.11 As we wrote last year, recent FTC activity means it’s time to check-in and self-audit. You and your compliance partner should examine dealership policies, particularly the dealership’s Incident Response Plan, and dealership training protocols. In addition to training on your customer data standards and how to communicate should a notification event occur, it’s a wise idea for dealership staff to stay current on industry-wide compliance issues. Approximately every eight weeks, the LDS Group offers an Ethics and Compliance Seminar via Zoom. Attendance is tracked during the virtual sessions, allowing dealers to receive reports. Training is not a one-and-done exercise. Repeated exposure to the pertinent issues of the day and to your dealership’s policies best positions your employees to be ready should a notification event occur. Sources 1 16 C.F.R. § 314.5. 2 FTC Vehicle Shopping Rule. https://www.nada.org/ nada/issues/ftc-vehicle-shopping-rule#:~:text=On%20 Dec.,or%20the%20%E2%80%9CCARS%20 Rule.%E2%80%9D. 3 NADA Files Federal Court Challenge to Stop FTC’s Vehicle Shopping Rule. https://www.nada.org/nada/ nada-headlines/nada-files-federal-court-challenge-stop-ftc s-vehicle-shopping-rule. 4 16 C.F.R. § 314.2(m). 5 16 C.F.R. § 314.2(m). 6 16 C.F.R. § 314.4. 7 16 C.F.R. § 314.4. 8 Federal Trade Commission Summary of the Final Rule, Section IV Detailed Analysis, p. 29. https://www.ftc.gov/ system/files/ftc_gov/pdf/p145407_safeguards_rule.pdf. 9 16 C.F.R. § 314.1, et seq. 10 NADA Management Series: Driven A Dealer Guide to the FTC Safeguards Rule, L43 (citing 15 U.S.C. § 41 et seq.). 11 Federal Trade Commission Summary of the Final Rule, Section IV Detailed Analysis, p. 9. (quoting NADA comments). https://www.ftc.gov/system/files/ftc_gov/ pdf/p145407_safeguards_rule.pdf. 10
RkJQdWJsaXNoZXIy ODQxMjUw