"The numbers are staggering, even if we're off by 10 or 20 percent," NADA President Peter Welch told Automotive News.
The association estimates the total expense incurred by U.S. franchised dealerships could top $2.2 billion in initial startup costs, plus $2.1 billion per year in ongoing costs.
"It puts a squeeze particularly on our smaller dealers," Welch said.
In addition to higher costs for dealers, the proposed provisions may not even prevent some of the breaches, as intended, dealers and dealer advocates say. Lower compliance could be a consequence. But auto retailers' views aren't universally supported: Consumer advocates say any extra expenses should be the cost of doing business if that business includes financial transactions.
Some dealership software companies, including prominent dealership management system providers, told Automotive News they generally support enhanced data security. But they declined to comment directly on the proposals or share details of upgrades they might need to make should the FTC enact the changes.
DMS giant CDK Global Inc., for instance, told Automotive News in an email: "We consistently monitor and update security protocols based on changing regulations and requirements and we believe we are well-positioned to comply with the proposed changes to the (Gramm-Leach-Bliley) Safeguards Rule should they ultimately be adopted."
The Safeguards Rule, which took effect in 2003, implements the privacy provisions in the federal Gramm-Leach-Bliley Act. As it stands, the rule requires dealerships to designate a program coordinator; conduct risk assessments on software handling sensitive customer data; identify risks and design and implement safeguards to protect against them; oversee service providers; and periodically evaluate the program.
In its proposed changes, issued in March, the FTC seeks to strengthen the guidelines for how businesses considered financial institutions under the rule should protect consumers' private information as technology advances. The proposed changes are under consideration, FTC officials have said, with no timetable for a decision.
Auto dealers are required to follow the Safeguards Rule because they offer lease and financing agreements. In public comments to the FTC, submitted in August, NADA and the National Independent Automobile Dealers Association, which represents nonfranchised used-car dealerships, claim the FTC has not provided enough data to justify that the proposed rule changes will lead to meaningful improvements in data security.
"These new requirements reflect an unhelpful shift from a prudent reasonableness standard to a set of prescriptive requirements that may make sense for certain entities but are ill-suited to other financial institutions — in particular, for smaller entities," NADA wrote in its public comment.