Editor's note: Equifax was the focus of a massive data breach. The name of the company was incorrect in an earlier version of this editorial.
The Federal Trade Commission has a difficult job when it comes to data privacy: Its mandate is to ensure that financial institutions safeguard American consumers’ personal data. And a wide array of companies act, in at least some ways, as financial institutions, including auto dealers. With all of the attempts to illegally access, sell and otherwise abuse consumers’ data, it’s wise that the commission continues to update its standards and guidelines.
But the FTC’s current proposal to change how borrowers’ data is collected, stored and transmitted appears to go too far — saddling entities from small, family-owned dealerships to payday lenders, mortgage brokers and federally insured banks with the same slew of mandatory practices.
The National Automobile Dealers Association contends that the newly proposed rules would add hundreds of thousands of dollars a year in regulatory costs — plus hundreds of thousands in upfront costs for each small or midsize dealership making the changes.
The latest FTC proposal could more than double the regulatory burden on most auto dealers — after tripling it in the first year — NADA projects.
Dealers and their advocates might be seen as defensive and instinctively wary of any new regulations. Fair enough. But with profits being squeezed and new-vehicle sales starting to sag, it’s understandable that they would be anxious about new costly strictures.
And the new rules might not even prevent the kinds of massive breaches at Target or Equifax or dealership software vendor DealerBuilt. As dissenting commissioners pointed out: Many of the recommendations are based on New York state rules from 2017, and their effectiveness has not yet been demonstrated.
The FTC’s rules under the Gramm-Leach-Bliley Act have since 2003 followed a reasonableness standard, ordering companies to implement whatever procedures are needed to protect data, rather than prescribing how companies do it.
Perhaps it’s time to update and toughen the rules, but this is not the way to do it. The commission is taking input from interested parties before it issues a final rule. It should listen carefully to America’s entrepreneurs and not strangle their businesses in the name of theoretical security.