The National Automobile Dealers Assn. has taken a stand against proposed changes to the Federal Trade Commission’s Safeguards Rule that dictates how financial institutions protect consumer data.
If the changes take effect, dealerships will be forced to shell out hundreds of thousands of dollars to comply.
However, new laws such as the California Consumer Privacy Act (CCPA) and New York’s SHIELD Act are forcing these changes, regardless of the status of the FTC Safeguards Rule.
In fact, 24 states have recently passed new data privacy laws or updated existing ones. A federal bill currently is under discussion.
I understand the dealer perspective. Nobody wants to part with hundreds of thousands of dollars for what is perceived as an onerous new regulation. But is it onerous? Or is it a forced, and long overdue evolution?
Most dealerships I visit haven’t significantly upgraded their information technology networks in 10 years. Meanwhile, cybercrime is on the rise.
These two factors create a perfect storm waiting to happen. Consumers are tired of their information being stolen. They want data protection.
Despite NADA’s position, this is an issue that unites nearly everyone. Democrat, Republican, Libertarian, it doesn’t matter. Nobody wants their data in the hands of criminals, and legislators are listening to their constituents.
But it’s not all bad news. In California, the state attorney general has defined “reasonable measures” as the implementation of 20 controls established by the Center for Internet Security.
The controls are a best-practices framework. It’s not intended that every organization in every industry implement them to the same level.
The appropriate level of implementation for a dealership can only be determined by someone with expertise. Dealers who aren’t sure where to start, or who want to proactively evolve their IT before they’re forced to, should start with the first five CIS controls.
Regardless of where a dealer resides, these controls will go a long way towards safeguarding customers’ data and delivering a better technology experience to employees and customers alike.
Based on my experience, if the average dealership implements these controls to within a certain percentage of the controls as written, it would still constitute “reasonable measures.” However, the average dealership falls far short of these benchmarks.
Here is a summary of five CIS controls, along with ideal benchmarks for dealerships and current compliance levels of the “average” dealership:
Control #1: Inventory and control of hardware assets.
Evolved dealer’s compliance benchmark goal: 96%.
Average dealer’s compliance level: 25%.
Control #2: Inventory and control of software assets.
Evolved dealer’s compliance benchmark goal: 100%.
Average dealer’s compliance level: 55%.
Control #3: Continuous vulnerability management.
Evolved dealer’s compliance benchmark goal: 96%.
Average dealer’s compliance level: 13%.
Control #4: Controlled use of administrative privileges.
Evolved dealer’s compliance benchmark goal: 94%.
Average dealer’s compliance level: 41%.
Control #5: Secure configuration for hardware and software on laptops, mobile devices, workstations and servers.
Evolved dealer’s compliance benchmark goal: 65%.
Average dealer’s compliance level: 10%.
One way or another, sooner or later, dealers will be forced to evolve their IT. If it isn’t because of the FTC Safeguards Rule, it will be state legislatures or U.S. Congress.
Rather than fight it, dealers can choose to view it as an opportunity to take their business to the next level and to protect the years of hard work they’ve put into it.
Evolving IT doesn’t just help dealerships become compliant with the FTC Safeguards Rule, the CCPA or the SHIELD Act. It helps them protect their systems and data, improve organizational productivity and meet the changing expectations of consumers.
Perhaps most important, evolving IT ensures that dealers’ hard-earned reputations stay intact. According to Total Dealer Compliance, 84% of consumers say they will not buy another car from a dealership if their data has been compromised.
Any dealer who values their reputation should not wait until legislation forces them to do what they should have done years ago.
The owner of a large dealer group in California told me he had no choice but to implement IT best practices because the damage to its reputation caused by a potential cyberattack would be a “business ender.”
Legislators who are pushing data privacy laws aren’t doing it to be mean or unreasonable. They’re doing it because they have no choice. Consumers have no choice when their data is stolen. Today’s business owners have no choice but to protect that data. (Wards Industry Voices contributor Erik Nachbahr, left)
Today’s dealerships are technology companies, whether they realize it or not. The sooner they start acting like technology companies, the better off they and their customers will be.
Erik Nachbahr is president and founder of IT firm Helion Automotive Technologies. He can be reached at [email protected].