ORLANDO -- What's the No. 1 compliance hurdle for automotive dealerships today?
That was a contentious question at the F&I Industry Summit here, with little consensus among F&I experts. But power booking, bank fraud and lack of data protection are at least among the top contenders for putting dealerships at risk.
Jim Ganther, president of Mosaic Compliance Services, says the most common violation he comes across involves the Safeguards Rule.
More than half of the dealers he meets have never done a Safeguards Rule risk assessment, meaning they have been in violation of the Federal Trade Commission's rule since its inception more than 15 years ago.
But as technology advances hackers' ability to breach consumer data, dealers need to do more to prevent it. The most significant element dealerships lack, he says, is often a network vulnerability assessment.
"That scares the crap out of me. That means their security on customer data is like a screen door," Ganther said. "You're almost certainly losing data."
Randy Henrick, vice president and compliance counsel at Mosaic Compliance Services, concurs that data storage and protection remains an area with which dealerships have difficulty reaching compliance.
"Dealers are not very sophisticated when it comes to safeguarding data," Henrick said. "Walk into any dealership, and the first thing you'll see are credit apps in fax machines, copiers, desktops — but the real issue is electronic data security."
Henrick recommends limiting access to customer data to relevant personnel only as well as retaining IT experts and conducting vulnerability assessments.
The FTC also requires within the rule that dealerships have a security incident response team established with internal officers, such as the store's compliance and security officers, and external experts on retainer in areas of forensics and security incident responses, Henrick said. This group should meet regularly to run scenarios of fabricated security breaches to remain compliant.
Failing to apply measures constitutes a deceptive trade practice under the FTC, Ganther says, which opens the dealership to punitive damages, attorney fees and negative press in the event of a security breach.