Since early 2024, dealerships in California, Connecticut, Florida, Georgia, Maryland, Michigan, Nevada, New Jersey, Tennessee and Ohio have self-reported data breaches. Unfortunately, this is not an exhaustive list as dealership data breaches and cyberattacks are becoming more prevalent in the auto industry. It’s more important than ever that dealerships follow the FTC’s Safeguards Rule.

The Safeguards Rule sets the minimal cybersecurity standards that businesses must meet to protect customer information. With cyberattacks on the rise, the FTC has issued FAQs that clarify how the rule applies to dealerships.

Here are five things you should know about the Safeguards Rule.

1. Dealerships Are Financial Institutions

We don’t typically think of auto dealerships as financial institutions, but the FTC has clarified that, for the purposes of the Safeguards Rule, they can be.

Dealerships are considered to be financial institutions if they regularly assist consumers in obtaining credit or arrange financing for the purchase of vehicles.

2. Dealerships Have Responsibility Over Service Providers

One of the biggest questions the FAQs have cleared up is how the Safeguards Rule applies to service provider relationships.

A service provider is a third party that is permitted access to your customer information through a service they provide to you, such as payment processing or document shredding. Dealers are responsible for reporting data breaches that happen under their service providers.

3. Compliance Is a Team Effort

The Safeguards Rule requires that someone be appointed as the qualified individual, or the person to enforce compliance at your dealership. This could even be a third-party individual as long as they have a point person at the dealership to work with.

Regardless of who your qualified individual is, compliance will be a team effort.

You’ll need IT personnel to ensure the technical aspects of compliance, such as system encryption and the installation of antivirus software, are met. Employees will also need training on cybersecurity best practices, like how to spot a phishing scam.

4. Noncompliance Can Be Costly

The consequences of noncompliance can be huge. Your customers want to be able to trust you with their data during a purchase. Breaking that trust by exposing their information to hackers could mean losing their business.

Noncompliance can also lead to costly fines and lawsuits. A massive 92% of dealerships that have experienced a cyberattack reported negative financial impact on their business.

The FTC fine for noncompliance with the Safeguards Rule is up to $53,088 per violation. But that number can grow as the FTC reviews all records that were not properly protected and stacks violations.

Once the FTC files noncompliance against a dealership, customers whose data was breached often hire attorneys to pursue class action lawsuits for negligence. And state laws may come into play, piling on additional repercussions.

It’s not hard to see how the average cost of a cyberattack on a small or medium-sized business could add up to more than $250,000.

5. Professional Support Is Available

The FAQs cleared up many points in the Safeguards Rule for dealerships, but the rule still has terms that are not well-defined and points that are open to interpretation. If you’re still struggling to understand your dealership’s obligations, reach out to a compliance provider for help.

When searching for a capable compliance provider, look for these qualities:

• Dedicated Support: Dealerships are complex organizations, so you want to make sure your provider will understand your business. Look for one that provides a dedicated account manager who will ensure you’re keeping your foot on the pedal of compliance.
• Comprehensive Software: Prioritize a provider with software that can track all your compliance requirements to ensure nothing’s missed.
• Training Capabilities: Compliance is a team effort. Look for a provider that offers training opportunities to keep employees educated about cybersecurity best practices.
• System Testing: Your provider should help make sure your technical systems are prepared too. Ask if they offer continuous monitoring, penetration testing and vulnerability scanning that tests systems for weaknesses that could be exploited by hackers.

A Cyber-Secure Business Is a Successful Business

Cybersecurity is like doing your taxes; it’s not something you probably want to spend time on, but it’s a crucial part of business operations.

Hackers understand that dealerships store a lot of valuable customer information. That’s why more than one-third of dealerships have been targeted for a cyberattack in the past year alone. Take the time to review the Safeguards Rule and new FAQs to ensure your company is properly protecting your customers’ information – and your dealership’s success.

About the Author