The Federal Trade Commission is giving dealerships a six-month extension to comply with the amended Safeguards Rule, providing dealerships more time to shore up any deficiencies and work toward compliance. The rule had been scheduled to take effect Dec. 9.
According to the National Automobile Dealers Assn. (NADA), which lobbied with other industry groups for the extension to June 9, 2023, the rule “contains a significant number of new and expanded procedural, technical, and personnel requirements that financial institutions, including dealers, must satisfy to meet their information security obligations.”
Basically, that means financial institutions, including dealerships, must have measures in place to lock down customers’ personal and other sensitive information, including a dealership’s service providers. The FTC publishes guidelines that spell out the requirements.
One of the most important measures in any compliance plan is to track 100% of everything on a dealership’s network, says Chris Williams, a senior associate and cybersecurity advisor-Eide Bailly. That includes wireless connections, hardware and software, and even cameras. It covers devices at the dealership and in the private homes of dealership staff.
“All those things can become areas of attack for threat actors,” Williams tells Wards. “There are always bad guys trying to figure out how to gain access to a network.”
All dealerships must account for all the data, including employee records, accessible through those devices.
CDK Global’s State of Cybersecurity in the Dealership 2022 study found that 85% of dealers say cybersecurity threats are “very” or “extremely” important compared to other operational areas. Yet industry insiders note many dealerships don’t sufficiently guard against such threats.
The amended Safeguards Rule has 16 updates, including having a “qualified” individual to oversee cybersecurity, required audit trails, and a periodic assessment of service providers. The CDK study found only 35% of survey respondents “knew the Rule well.”
Auto retailers are “finding the Safeguards Rule hard to understand or complete,” Anu Roberts, CDK’s senior director of product marketing, tells Wards.
Some industry insiders say missteps occur because some dealership leaders have not hired qualified professionals to handle the needed security.
Dealerships can begin the compliance process by completing an assessment from a qualified vendor to identify gaps and working with their legal team to address any additional FTC rules, she says.
While it is clearly in their best interest to say so, vendors recommend using a third party to monitor compliance. Various dealers tell Wards they have done so with success. And it does make sense. That third-party company serves as a watchdog over other third parties dealerships rely on for information technology and other functions. Under the revised Rule, dealerships are responsible for both their service providers’ practices and their own.
Partnering with a managed service provider on cybersecurity helps takes the guesswork out of FTC compliance, says CDK’s Roberts.
And, Safeguards Rule aside, most states have data breach laws that further complicate compliance.
To be sure, complying with the Safeguards Rule will be expensive. NADA estimates the onetime, upfront average cost to a U.S. franchised dealer to be $293,975, and the average annual cost will be $276,925.
The cost of noncompliance can be high both monetarily and reputation-wise, however. The average payout for a ransomware attack is $228,125, says CDK. And the FTC penalties include fines of up to $43,792 per violation.
Then there is the cost to a dealership’s reputation. Los Angeles law firm Scali Rasmussen says a client suffered a data breach that was not the client’s fault.
In the case of a breach, a California dealership must notify the state’s Attorney General, which then posts the data breach on its website. As soon as the notice of the client’s violation was made public, a law firm put a message on its website asking those that suffered a data breach to contact them for possible litigation action, says Scali Rasmussen.