Pub. 4 2023 Issue 1

TowneBank.com/DealerServices Kevin Bonniwell Executive Vice President Director of Dealer Services & Finance Member FDIC It’s your vision... your dream. And we’re your bankers. Business_Va_Auto_Dealers_Assoc_VADA_3.625x4.625_4c_Ad.indd 1 3/17/23 10:10 AM • Consumer protection efforts. Depending on the extent of the breach, you may be legally responsible for the cost of providing identity theft protection measures to all of the consumers who suffered a release of their information. • State and federal penalties. Suffering a breach does not earn you any pity from the government. State and federal enforcement officials will come shortly thereafter to “pour salt in the wound” in the form of heavy fines and penalties. • Class action lawsuits. Always a significant concern for dealers is a class action lawsuit by harmed individuals who had their information either stolen or released. FTC Using its Broad Authority Under Section 5 for Cybersecurity Concerns Section 5 of the FTC Act prohibits “unfair or deceptive business practices in or affecting commerce.” Given that this clause has been around since 1914, it is safe to say that the authors did not consider cybersecurity during the time that it was drafted. Nevertheless, as a Nobel Prize laureate once said, “the times they are a-changin’” and the FTC has wielded this section as a sword to strike down businesses who have displayed poor cybersecurity practices. This has become such an issue that Brad Miller, General Counsel and Chief Risk Officer at NADA, spoke about this during one of the educational seminars at the Dallas convention. Defining false data security or privacy representations under both “unfair” and “deceptive” terms of art since 2002, the FTC has negotiated consent agreements since then with most businesses, as many of them never wanted to test its authority over regulating cybersecurity. It was not until 2012 when a private company that had been the victim of a cyberattack three times moved to dismiss the FTC’s lawsuit, stating that it had no authority, rather than enter into a settlement. Going all the way up to the Third Circuit, the court affirmed that the FTC does in fact have the authority to regulate cybersecurity based on factors I won’t bore you with here. Since then, there have been no direct challenges to the FTC’s authority over a business’s cybersecurity practices under this broad Section 5 and the FTC continues to use it repeatedly and effectively: • Consent order with an education technology provider for alleged poor data security practices that exposed sensitive information about millions of customers and employees – January 2023 • Consent order with an online alcohol marketplace (and its CEO, personally) over allegations that its security failures led to a data breach, exposing the personal information of approximately 2.5M consumers – January 2023 • Consent order with an online customized merchandise platform that failed to implement reasonable security measures and failed to adequately respond to several security breaches – June 2022 With the Safeguards Rule and the looming Motor Vehicle Trade Regulation Rule that the NADA is actively opposing, we believe that automotive retail is squarely in the sights of the new FTC commissioners. It is imperative that dealers continue in their efforts to expeditiously comply with all the new requirements of the Rule to achieve full compliance by the new deadline. If you’re feeling behind or overwhelmed, we’re here to help. Send us a message at info@complyauto.com or visit our website at www.complyauto.com to learn more about our “one-stop-shop” solution for the Safeguards Rule and our Compliance Guarantee. This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it. 10 Virginia Auto Dealer

RkJQdWJsaXNoZXIy ODQxMjUw