The Safeguards Rule took effect in 2003 under the federal Gramm-Leach-Bliley Act, which classifies dealers as financial institutions because they offer financing agreements. Revisions to the rule were approved on a 3-2 vote last month, with Commissioner Rohit Chopra voting in their favor before being sworn in as director of the Consumer Financial Protection Bureau.
The amended version contains five main updates that center on keeping data secure, such as limiting access to customer information and new requirements for encryption and multifactor authentication. It also requires institutions to designate one "qualified individual" to manage their information security program.
Organizations that collect information on fewer than 5,000 consumers are exempted from certain elements in the final rule, the commission said.
The full impact of the rule changes on franchised dealerships was still unclear late last week. The National Automobile Dealers Association, as of press time, was still reviewing the 145-page rule, as were compliance experts and dealership leaders who spoke to Automotive News.
NADA leaders raised multiple concerns about the proposed changes in public comments to the FTC in 2019 and 2020, and submitted a cost analysis that indicated U.S. dealerships could face billions of dollars in additional compliance costs if they were adopted.
NADA's analysis in 2019 suggested dealerships across the country would be required to spend hundreds of thousands of dollars each — per year — on compliance with the FTC's proposed changes to the Safeguards Rule. All told, the association estimated that U.S. franchised dealerships would need to spend $2.2 billion in initial startup costs, followed by $2.1 billion in annual costs.
"The final amendments to the Safeguards Rule contain a significant number of new and expanded requirements for dealers and other financial institutions that depart from the FTC's flexible and self-modernizing approach to data security compliance that has worked well for nearly 20 years," NADA spokesman Jared Allen said in a statement to Automotive News last week.
"While we are pleased that the FTC, in direct response to NADA's input, made significant changes and provided important clarifications to the proposed amended rule," he continued, "many of the new requirements being imposed still lack the scalability and flexibility that will make them achievable by smaller businesses. Unfortunately, this will likely lead to increased costs and liability exposure for dealers without producing corresponding benefits to consumers."