Dealers assessing potential cost of tougher federal Safeguards Rule

WASHINGTON — U.S. auto dealerships will be expected to toughen up their information systems security following a series of sweeping amendments to the federal Safeguards Rule, which dictates how financial institutions protect consumer data.

The Federal Trade Commission issued a final rule last week cementing in place more detailed procedures and specific criteria that those institutions, including auto dealers, must implement as part of their information security programs to curb data breaches and cyberattacks that could jeopardize sensitive customer data.

Now dealers are left to sift through the updated regulations and figure out to what degree compliance will impact their bottom lines.

The Safeguards Rule took effect in 2003 under the federal Gramm-Leach-Bliley Act, which classifies dealers as financial institutions because they offer financing agreements. Revisions to the rule were approved on a 3-2 vote last month, with Commissioner Rohit Chopra voting in their favor before being sworn in as director of the Consumer Financial Protection Bureau.

The amended version contains five main updates that center on keeping data secure, such as limiting access to customer information and new requirements for encryption and multifactor authentication. It also requires institutions to designate one "qualified individual" to manage their information security program.

Organizations that collect information on fewer than 5,000 consumers are exempted from certain elements in the final rule, the commission said.

The full impact of the rule changes on franchised dealerships was still unclear late last week. The National Automobile Dealers Association, as of press time, was still reviewing the 145-page rule, as were compliance experts and dealership leaders who spoke to Automotive News.

NADA leaders raised multiple concerns about the proposed changes in public comments to the FTC in 2019 and 2020, and submitted a cost analysis that indicated U.S. dealerships could face billions of dollars in additional compliance costs if they were adopted.

NADA's analysis in 2019 suggested dealerships across the country would be required to spend hundreds of thousands of dollars each — per year — on compliance with the FTC's proposed changes to the Safeguards Rule. All told, the association estimated that U.S. franchised dealerships would need to spend $2.2 billion in initial startup costs, followed by $2.1 billion in annual costs.

"The final amendments to the Safeguards Rule contain a significant number of new and expanded requirements for dealers and other financial institutions that depart from the FTC's flexible and self-modernizing approach to data security compliance that has worked well for nearly 20 years," NADA spokesman Jared Allen said in a statement to Automotive News last week.

"While we are pleased that the FTC, in direct response to NADA's input, made significant changes and provided important clarifications to the proposed amended rule," he continued, "many of the new requirements being imposed still lack the scalability and flexibility that will make them achievable by smaller businesses. Unfortunately, this will likely lead to increased costs and liability exposure for dealers without producing corresponding benefits to consumers."

Updates to the FTC's Safeguards Rule have been years in the making, with the federal watchdog proposing in March 2019 several amendments governing what steps financial institutions should take to protect consumers' data and prevent data breaches. The FTC asked for public comment and also held a workshop exploring some of the issues raised in response to the proposed changes.

In its own cost study from 2019 on the FTC's initial proposal, NADA said the expense incurred by U.S. franchised dealerships could range from roughly $220,000 for small dealerships to more than $300,000 for midsize dealerships in upfront costs, plus additional expenses each year after to maintain compliance. Then-NADA CEO Peter Welch told Automotive News in 2019 that those were conservative estimates.

One provision — that of naming a "qualified individual" to coordinate a financial institution's data security program — originally appeared in the FTC's revisions as a "chief information security officer." That term prompted concerns from groups, including NADA, about the potential cost associated with the position.

The FTC said it did not propose requiring financial institutions to give that title to the employee and acknowledged such concerns by changing the term in the final rule.

"By using the term 'CISO,' the commission did not intend to require that all financial institutions hire a highly qualified professional with an extremely high salary, regardless of the financial institutions' size or complexity," it wrote. "The proposed rule required only that financial institutions designate a 'qualified individual' to oversee and enforce their information security program, without specifying any particular level of experience, education or compensation."

Ed Mierzwinski, senior director of the federal consumer program for the U.S. Public Interest Research Group, said industry studies of costs and benefits are "typically worst-case projections."

"I would stress the commonsense nature of many of the requirements," he said, citing best practices such as encryption and two-factor authentication. "Shouldn't a computer system or network at any business — especially where multiple employees have access — require the same?"

Terry O'Loughlin, compliance director for dealership management system provider Reynolds and Reynolds, told Automotive News last week that he hadn't yet read through the entire rule, but requirements to hire the qualified individual and conduct risk assessments are among the provisions that could most affect dealerships.

A number of details are still unclear in the final rule, said Michael Alf, general manager at St. Charles Toyota in Illinois.

Among his questions: What constitutes a "qualified individual" for a dealership to be in compliance with that requirement? How is the exemption for financial institutions that have information on fewer than 5,000 consumers calculated? For a dealership, does that mean it sells fewer than 5,000 vehicles each year? How are service customers factored into the tally? What standards do a dealership's third-party vendors need to meet?

"It's those details that I still haven't been able to clear up yet," Alf said.