Compliance alert: Car dealerships must act now to meet FTC data privacy mandate
By Jay A. Goldman, CPA
Car dealerships and other businesses that collect sensitive consumer data have until June 9 to implement a wide-ranging series of safeguards or face potential civil and criminal penalties from the Federal Trade Commission.
The FTC revised its “Safeguard Rule” in October 2021 and initially set a compliance deadline of December 9. It extended the deadline in November to allow smaller companies to comply with the potentially expensive and time-consuming requirements.
- Boyer & Ritter can assist dealerships and other businesses with the new regulations. Our firm also works with several IT firms knowledgeable about the FTC requirements.
Under the amended Safeguard Rule, the FTC requires dealerships and other companies dealing with financial information to:
- Designate a qualified individual to oversee the information security program.
- Develop a written risk assessment.
- Limit and monitor access to sensitive customer information.
- Encrypt all sensitive data to protect it from unauthorized access.
- Train security personnel to handle data security incidents effectively.
- Develop an incident response plan to address and mitigate potential breaches promptly.
- Periodically assess the security practices of service providers.
- Implement multi-factor authentication or equivalent protection for customer information access.
Direct impact on auto dealers
The FTC developed a separate FAQ and business guide specifically for dealers. The agency stresses that the new requirements apply to dealerships that:
- Extend credit to someone (for example, through a retail installment contract) when purchasing a car for personal, family, or household use.
- Arrange for someone to finance or lease a car for personal, family, or household use.
- Provide financial advice or counseling to individuals.
To read the dealer-specific FAQ and small business guide, along with links to additional compliance information, visit: https://www.ftc.gov/business-guidance/resources/ftcs-privacy-rule-auto-dealers-faqs
The consequences of not acting
The FTC had requested a budget increase of $160 million – money the agency said would go, in part, for “increasingly complex consumer protection investigations, including privacy and data security issues.’’
While the agency’s ultimate 2024 budget is still uncertain, it is clear the FTC is making consumer data security a priority.
Navigating the complexities of the FTC's Safeguards Rule requirements demands a comprehensive cybersecurity program that includes both hardware and software reviews and a look at internal procedures.
With the June 9 deadline fast approaching, dealerships must prioritize compliance to shield themselves from potential financial and reputational harm.
The Boyer & Ritter team is ready to help ensure your dealership meets the FTC requirements.