The Federal Trade Commission (“FTC”) continues to examine their proposed amendments to the regulations on consumer data protection. Falling under the Gramm-Leach-Bliley Act (“GLBA”), proposed rule changes enhance the requirements to the Safeguarding Customer Information (“Safeguards Rule”) which was signed into law in 1999 and went into effect in 2003. With lease and financing agreements as major components of an automotive dealership, dealerships are required to comply with the GLBA.
Recent reports have been scrutinizing the significant direct and indirect costs this will put on businesses and consumers. The National Automobile Dealers Association (“NADA”) has been increasingly vocal in its opposition. It estimates one-time costs would range between $220,400 to $367,550 and annual costs would range between $217,800 to $336,050 for small to midsize dealerships. Additionally, the International Technology & Innovation Foundation has estimated that it “could cost the US economy approximately $122 billion, or $483 per US adult, per year.”
As it currently stands, the Safeguard Rules require auto dealers to have a formal security plan detailing the steps the company takes to protect its customers’ nonpublic personal information.
The plan must include:
- Designating an employee to manage the safeguards
- Performing a thorough risk analysis on each department handling nonpublic personal information
- Developing, monitoring and testing the program to ensure nonpublic information is secure
- Select service providers that maintain appropriate safeguards, make sure your service provider contract requires it and oversee their handling of customer information
- Update the safeguards as needed
Ongoing compliance of the existing FTC Safeguards Rule always had a cost factor. The current rule has followed a reasonableness standard, meaning that while companies needed to protect consumer data, they did not stipulate the specifics on how. A few of the additions in the proposed amendments include:
- Implementing various security and encryption measures including but not limited to:
- Restricting access to physical location
- Encryption
- Multifactor authentication
- Penetration and vulnerability testing
- Implementing audit trails designed to detect and respond to security events
- Monitoring authorized and detecting unauthorized access
- Training employees
- Assessing service providers periodically
- Establishing an incident response plan
Additionally, the proposed amendments include minor changes to the Privacy Rule – which is a motor vehicle dealer specific regulation — to ensure consistency and provide clarification for annual privacy notices.
There are a multitude of components to the proposed amendment, which is being actively opposed by NADA and other organizations. Very few, if any, automotive dealers or groups have the personnel on hand to properly comply with the existing and proposed components of the Safeguards Rule.
Compliance is a costly component of doing business, but noncompliance can be very expensive. To assist with automotive dealer compliance needs, Withum has launched a suite of on-demand videos featuring renowned auto dealer consultants Chris Andrews and Robert Campbell. The training modules cover FTC Red Flags, Safeguarding and Form 8300 compliance. Reach out to your Withum team to gain access to the video series. A preview of the series can be referred to, here.
For more information on this topic, please contact our professionals by filling out the form below.
Author:Joe Ro, CPA | [email protected] and Karen Koch Reilly, CPA | [email protected]
Automotive
How Can We Help?