Amended FTC Safeguards Rule
Amended FTC Safeguards Rule: What you need to know
The Federal Trade Commission (FTC) issued amendments to the Safeguards Rule on October 27, 2021, strengthening data and information security requirements for financial institutions. The amendments include a substantial number of new and expanded requirements that financial institutions, including dealerships, must satisfy to meet their information security obligations.
The Amended Rule requires financial institutions under FTC jurisdiction to have measures in place to satisfy the Rule by December 9, 2022. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers also safeguard customer information in their care.
What has changed
The Amended Rule modifies the current flexible approach to data security by mandating a list of requirements that all financial institutions must meet, regardless of their size or the types or scope of customer data they maintain.
For a dealership to comply with the Amended Rule, they must take each of the steps and actions as outlined.
In addition, dealers are responsible for ensuring vendors who access any customer data also comply with these same requirements, and monitor and audit their performance for compliance. If a dealership is unable to manage vendor compliance, the FTC has said that the dealer may no longer engage that vendor.1
What has changed
The Amended Rule modifies the current flexible approach to data security by mandating a list of requirements that all financial institutions must meet, regardless of their size or the types or scope of customer data they maintain.
For a dealership to comply with the Amended Rule, they must take each of the steps and actions as outlined.
In addition, dealers are responsible for ensuring vendors who access any customer data also comply with these same requirements, and monitor and audit their performance for compliance. If a dealership is unable to manage vendor compliance, the FTC has said that the dealer may no longer engage that vendor.1
Risks
What is at stake for dealers who don’t comply goes beyond fines and reputational damage. Noncompliance can put the business itself in jeopardy.
Liability for deceptive trade practice
Dealerships that do not comply with the Safeguards Rule can be liable for deceptive trade practices. While an individual may not sue a dealership for violating the Safeguard Rule (i.e., there is no private cause of action: the law can only be enforced by the federal government), a violation of the Safeguards Rule is considered a deceptive trade practice, and an individual may sue a dealership for deceptive trade practices.
Importantly, there are state law requirements to notify victims of identity theft. If you have a breach, you must notify all victims, increasing the likelihood, if not guaranteeing, that you will get sued.
Banks might not buy your paper
There is debate over whether or not a car dealership is a service provider, as defined under the Rule. If dealers are service providers and they do not demonstrate that they are complying with the Safeguards Rule, banks who are independently covered by the Safeguards Rule may not buy the dealership’s paper.
Even if dealerships are not considered service providers under the Rule, banks are already sending out dealer agreement addenda stating if the dealership does not follow the Safeguards Rule they will not buy your paper.
Risks
What is at stake for dealers who don’t comply goes beyond fines and reputational damage. Noncompliance can put the business itself in jeopardy.
Liability for deceptive trade practice
Dealerships that do not comply with the Safeguards Rule can be liable for deceptive trade practices. While an individual may not sue a dealership for violating the Safeguard Rule (i.e., there is no private cause of action: the law can only be enforced by the federal government), a violation of the Safeguards Rule is considered a deceptive trade practice, and an individual may sue a dealership for deceptive trade practices.
Importantly, there are state law requirements to notify victims of identity theft. If you have a breach, you must notify all victims, increasing the likelihood, if not guaranteeing, that you will get sued.
Banks might not buy your paper
There is debate over whether or not a car dealership is a service provider, as defined under the Rule. If dealers are service providers and they do not demonstrate that they are complying with the Safeguards Rule, banks who are independently covered by the Safeguards Rule may not buy the dealership’s paper.
Even if dealerships are not considered service providers under the Rule, banks are already sending out dealer agreement addenda stating if the dealership does not follow the Safeguards Rule they will not buy your paper.
Compliance Services
Jim Ganther is President of Mosaic Compliance Services. He is an attorney and author of Compliance For Green Peas (and Old Dogs Who Think They Know it All). Mosaic helps dealers establish a compliance culture within their dealerships, providing legal training, materials, resources, and tools. Mosaic has also developed a comprehensive Safeguards solution to help dealers meet their obligations under the Rule.
In partnership with Zurich, Mosaic provides Zurich customers and employees ongoing compliance training and education.
The road to compliance with the amended Safeguards Rule can seem overwhelming. Jim provides his perspective on the first, most urgent steps:
Where do I begin?
The updated Safeguards Rule adds many important tasks and subtasks to the original Rule. While it is mandatory that all of the tasks be completed – and documented – by December 9, 2022, there is no requirement that they are accomplished in any particular order. So where should you begin?
The obvious first task would be to designate the dealership’s Qualified Individual. Note that the Rule requires an “individual,” not individuals. There must be one person in charge of your overall Safeguards effort. That person may be the “Program Coordinator” the original Rule required, or someone else. It is critical that the person have significant authority within the dealership to implement change and ensure compliance. How far up the chain of authority the Qualified Individual is tells everyone how seriously the dealership takes the Safeguards Rule.
One more thought about the Qualified Individual: the qualification is that the person can oversee the Safeguards Program, not the ability to personally perform all of the technical functions necessary to come into compliance. The duties of a Qualified Individual may be subcontracted to a thirdparty; the responsibility of seeing that those duties are performed may not.
Once the Qualified Individual is designated, the next step should be to begin the process of overseeing your Service Providers. Service Providers are those individuals or companies that gain access to your customers’ personal information in the course of performing services for your dealership. The definitions of “nonpublic personal information” and “personally identifiable financial information” that must be protected are quite broad, so it is best practice to assume any customer information should be protected.
How to “oversee” your Service Providers is described in NADA’s A Dealer Guide to the FTC Safeguards Rule starting on page 22. Why is it so important to begin this process immediately? Because the FTC makes it clear that you cannot do business with Service Providers that don’t demonstrate compliance with the Rule. As a practical matter, that means you need to start looking for vendors that can, to replace those that cannot, well before the December 9, 2022, enforcement deadline.
Resources
The NADA Dealer Guide to the FTC Safeguards Rule provides in-depth examination of the Rule and its requirements, helping dealers understand the scope of the law, their risks and responsibilities.
1. NADA Amended Final Safeguards Rule Preliminary FAQs, November 5, 2021.
_____________
4 DEALER PRINCIPAL