The National Automobile Dealers Association (NADA) represents over 16,000 franchised dealers in all 50 states who market and sell new and used cars and trucks, and engage in service, repair, and parts sales to consumers and others. NADA members collective employ over one million people nationwide and assist consumers in obtaining financial or leasing options for new and used vehicles, they are generally deemed to be financial institutions under the Gramm-Leach-Bliley Act, and thus are subject to the Federal Trade Commission (FTC) Standards for Safeguarding Customer Information (“Safeguard Rule” or “Rules”). NADA has submitted a request to the FTC asking to amend the standard Safeguards Rule by adding provisions to exempt it's members from certain provisions.
On October 27, 2021, the FTC issued its final amendments to the FTC Safeguards Rule. The Rule contains a significant number of new and expanded procedural, technical, and personnel requirements that financial institutions, including auto dealers, must satisfy to meet their information security obligations.
Below are answers to a few preliminary dealer questions, some details about what the Amended Rule and the estimated costs for compliance with many of the new requirements.
Preliminarily Questions:
Q. What is the Safeguards Rule?
A. The Safeguards Rule (“Rule”) is a federal data security rule that requires financial institutions (including dealers) to have measures in place to keep customer information secure. In addition to developing their own safeguards, dealers are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
Q. What does it require?
A. The Rule requires financial institutions to “develop, implement and maintain a [written] comprehensive information security program” that “contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” Furthermore, you should have written document developed for your dealership reviewing your systems and the information you maintain, which contain the steps you are taking to protect that data.
Q. When is this effective?
A. Dealers and all of their service providers that access any customer data, will have to comply with the new requirements by December 9th, 2022. However, some of the changes in the Amended Rule take effect 30 days after publication.
Q. Are there any exceptions?
A. There is an exception to many of the new requirements for any entity that maintains 5,000 or fewer customer records. Dealers should consult with their vendors and professional advisors concerning this exception as well as the other aspects of the new requirements.
Q. What about my OEM?
A. There is no exception, nor has there even been an exception for your relationship with your OEM. Any programs you participate in, or services you obtain from your OEM, must comply with the requirements of the Safeguards Rule to the extent customer data is shared.
Q. Will this be expensive for dealers?
A. There is no clear answer to that question, but the new requirements are certainly extensive, complicated, and for many dealers will add significant
costs. Note that during the time the FTC was considering the proposed rule, NADA submitted the results of an independent third-party cost study, which detail the estimated costs to comply with many of the new requirements for the average sized dealership.
Amended Rules - the "Basics"
- Abandon "reasonable" standard for list or requirements
- Must comply by December 2, 2022
- Certain requirements to no apply if there is less than 5,000 customer records
- Increased obligations on internal systems and third-parties
What are the new requirements?
The new requirements are broken down to fifteen rules which are required for each franchised dealership. As stated previously, dealers must comply to these rules by December 2, 2022.
How we can help your dealership.
NCI is working with our technology providers to provide a complete solution which will help your dealership adhere to the amended Safeguards Rule issues by the FTC. As you can see from the chart below, we can assist in most all of the requirements required. Our services will cover all the items needed to setup, provision and maintain the necessary requirements.
Who is NCI?
If you are looking for a proven IT service provider, Network Connections has all the solutions you're looking for. We offer your business managed IT services, mobile or remote workplace, Microsoft cloud services, managed cybersecurity, and hosted VoIP solutions.
Contact us today, and find out how we can help your business.
