The Federal Trade Commission’s newly announced updates to its Safeguards Rule aim to strengthen security around consumer financial information. For auto dealers, it means new reporting rules.
Announced Oct. 27, the final changes to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLB) are the result of a multiyear process aiming to combat the ever-rising uptick in data breaches.
For auto dealers who must comply with the new rules when they are fully effective, it means action is needed now to protect their companies from costly private lawsuits and enforcement actions for failure to comply with the updates.
Most dealers, as “financial institutions” under the GLB, have been subject to the Safeguards Rule for decades. The rule has long required that dealers assess the risk to the security and privacy of consumer financial information, implement a plan to secure that data, regularly monitor and update that plan, and designate an individual to be responsible for the plan.
The latest changes are more prescriptive, imposing new specific criteria financial institutions must meet, where the requirements were previously more general and subject to flexible interpretation.
Financial institutions must now address specific topics in their risk assessments and produce a written report of the assessment.
The update further requires that each safeguarding plan address particular issues, including access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing and incident response.
It also requires financial institutions to adopt measures to oversee the effectiveness of the safeguarding plan, required employee training and any services from an external provider.
Another major change is accountability. For example, while the current rule allows a financial institution to designate one or more employees to be responsible for the safeguarding program, the update requires the designation of a single “Qualified Individual,” as defined.
Institutions must also now provide periodic reports to boards of directors or governing bodies. In short, the update raises the stakes for owners and managers, as it requires direct involvement from senior leadership in safeguarding consumer data.
Finally, the update adopts some relief for smaller financial institutions. The update exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan and annual reporting to the Board of Directors.
The bottom line for dealers is that the updated rule requires action, both upfront and on an ongoing basis. In the event of a data breach or incident, failure to comply with the specific requirements of the update will provide a clear basis for a federal enforcement action and may support costly civil lawsuits, especially in California.
The updates will be effective a year from their publication in the Federal Register, which should happen within the next several days.
The National Automobile Dealers Assn. plans to release detailed compliance guidance in the future. Dealers can also expect that data security vendors will inundate them in the coming weeks and months with sales pitches for compliance solutions.
Prior to signing up with any new vendor, every dealer should understand how the update applies to them, what aspects of the update they already comply with, and how the update interacts with state privacy laws.
Attorney Monica Baumann (pictured, above left) is a shareholder with Scali Rasmussen PC, specializing in cybersecurity and employment law, particularly in the automotive industry.
