Editorial: Use Safeguards Rule extension wisely, dealers

The Federal Trade Commission's new consumer data security rule won't take effect now until June 6, which should be enough time for dealerships to come into compliance.

Auto dealerships and other small businesses have received a six-month stay on new mandates from the Federal Trade Commission on the agency's new Safeguards Rule, which seeks to bolster customer information security.

Dealers would be wise to use this extra time to ensure that their data house is in proper order when the unanimously granted extension expires June 9.

Instituted in 2021, the updated Safeguards Rule has nine elements that must be found in a dealership's cybersecurity program by the compliance deadline, originally Dec. 9.

Under the new rule, a business must hire or outsource a "qualified individual" to oversee the program and report to leadership; assess risks and minimize them; have a response plan should a breach occur; test or monitor its system; train staff; monitor vendors for information security, and adapt the system to changes at the business or other developments.

The National Automobile Dealers Association and other retail trade groups had sought a one-year extension, citing labor and supply shortages exacerbated by the pandemic. They got six months, and it looks unlikely another stay is in the offing. That is fine, because it shouldn't be needed.

The Safeguards Rule is part of the Gramm-Leach-Bliley Act, which was passed by Congress in 1999 and regulates business customer information practices. While the rule was passed by the FTC last year, its legal basis is now well-established and valued by consumers.

Related Article
Here's our 2022 list of the top U.S. dealership groups

Some business owners may grouse, as NADA did, about "dueling regulatory demands and the technological changes required for proper compliance." That seemed to be a misdirected dig at the FTC's rushed and uninformed proposed dealership compliance rules, but let us be clear: Compliance with the Safeguards Rule is work that has to be done.

Data breaches are no small affair, and they can be costly for those who ignore the threat and fail to properly protect their customer information. As we noted last year after a significant third-party data breach at Volkswagen Group of America, protecting customer information has always been a necessary job at dealerships. As file rooms have given way to server farms, there must be more than a lock on the door.

No doubt many dealerships would have already been in compliance had the Safeguards Rule gone into effect next month as planned. There will be no more excuses come June.

RECOMMENDED FOR YOU
Editorial: DE&I can help vehicle design, not just hiring
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
SCREEN-MAIN_i.jpg
Editorial: DE&I can help vehicle design, not just hiring
Editorial: GM's CarPlay decision is bold but highly risky
Traffic
Editorial: Aging U.S. fleet complicates emissions goals
Sign up for free newsletters
Digital Edition
Automotive News 6-5-23
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Fixed Ops Journal 12-19-22
Read the issue
See our archive