The Federal Trade Commission will require car dealers to report data breaches of some unencrypted customer information beginning on May 13, 2024.
The announcement was made Nov. 27 during a webinar hosted by Brad Miller, chief regulatory counsel for the National Automobile Dealers Assn., and featuring speaker Katherine McCarron, FTC chief of staff and an attorney in the Division of Privacy and Identity Protection. The breach notification requirement is an amendment to the FTC’s Safeguards Rule.
“The Safeguards Rule was issued a few years ago, and the deadline for compliance was June 9 of this year,” says Miller. “But it’s not sort of ‘set it and forget it.’ Keep (that) in mind if you are still sort of finalizing some of the parts of your program or updating it or managing it as you go along.”
This latest amendment requires non-banking institutions, including car dealers, to report a breach if it involves unencrypted information that affects 500 customers or more, says McCarron. Dealers must make the notification no later than 30 days after the breach is discovered through a link on the FTC website that has not yet gone live.
Dealers should keep the following details shared by Miller and McCarron in mind as the FTC amendment moves toward enforcement:
- The event is defined not by state law but by federal statute. It does not impact the state laws that are in place.
- Actions needed to be taken on unauthorized acquisition are “very fact-specific questions,” says McCarron. Basically, if encrypted information is taken, that is not a notification event.
- Again, the notification must take place if it impacts 500 or more customers. “So, if a hacker gets into your system and steals customer information of 400 people, that is not a notification event,” says McCarron.
- The notification event does not include information collected from those who “casually visit your dealership to look at cars,” says McCarron. The rule is designed to protect the information from those who lease, buy or finance cars at a dealership.
- Dealers must be aware of vendors’ data breaches. The dealers should communicate with the vendor plus their legal representative and safeguards rule compliance officer to determine actions to take if such a breach occurs.
- The notification event does not include information collected from those that “casually come visit your dealership to look at cars,” says McCarron. The rule is designed to protect the information from those that lease, buy or finance cars at a dealership.
“As you know, one of the requirements of the Safeguards Rule is to encrypt the data at rest and in transit. And so, you’re doing that anyway. And this is just another reason why it’s critical that you make sure that you’ve got those encryption pieces together,” says Miller. “Please encrypt your data.”