Following this year’s significant cyber security incident involving many dealerships’ third-party service provider, security and privacy questions continue to arise relating to various types of information and data. As a reminder, under the Federal Trade Commission (FTC) Safeguards Rule additional changes[1] went into effect last year impacting, among other things, dealerships’ digital communications.
Additionally, along with these changes, the amended Safeguards Rule requires dealerships to have developed and implemented, and maintain a comprehensive security system to keep their customers’ information safe. After extension by the FTC, certain of these changes went in effect as of June 9, 2023. These provisions required dealerships to:
· designate a qualified individual to oversee their information security program;
· develop a written risk assessment;
· limit and monitor who can access sensitive customer information;
· encrypt all sensitive information;
· train security personnel;
· develop an incident response plan;
· periodically assess the security practices of service providers; and
· implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
The amended Rule also updated the employee security training requirement. Dealership security awareness training must reflect risks identified in a risk assessment, along with ongoing training for security personnel. This includes verification that security personnel are taking steps to stay current on emerging threats and countermeasures.
While dealerships should by now have their policies in place and implemented, included in the Safeguards Rule changes are standards and procedures for data security which require dealerships, pursuant to their updated security programs, to notify the FTC of security incidents that affect at least 500 customers, and ensure “end-to-end” security encryption of personally identifiable information (PII) sent digitally over external networks. In other words, PII exchanged between dealership personnel and customers must be encrypted in transit. This means that for a dealership to be compliant, use of unsecured, unencrypted text messages and email is not permitted.
One obvious problem, however, is that purchase transactions may routinely be initiated and conducted via email and text messages, including without limitation, communications that flow through the dealerships’ DMS and CRM systems and texting and messaging applications. And some have argued that the shortcomings of some dealership cyber security consultants and certain software providers may not be facilitating solutions to satisfy the encryption requirements for in transit exchange.
This becomes particularly problematic when one considers, for example, the volume of personal data on a dealership salesperson’s phone from existing and past customers. This data might be located in a number of places, including without limitation, in the phone’s text history, photo bank, and other repositories, as well as data backed up to a cloud service which might be shared. Each item mentioned would constitute an incident under the FTC Safeguards Rule and a fineable offense, with the maximum fine, per incident, being $50,120.00. Moreover, the Safeguards Rule broadly covers both past and current dealership employees and past and current dealership customers, with authority granted to the FTC to investigate retroactively. Pursuant to the FTC’s enforcement authority in the course of such an investigation, it may subpoena dealership email, text and phone records, including directly from the dealership’s vendor providers.
Dealers need to ensure their full compliance with the FTC Safeguards Rule. This includes having in place security measures designed to protect customer PII that is exchanged in transit. At a minimum, this requires using secure technology for email, text messages, passwords, logins, accounts, etc. Consultation with the dealership’s cyber security advisor or technology consultant and legal advisor is warranted to ensure the dealership is compliant in every respect with the FTC Safeguards Rule.
[1] The FTC Safeguards Rule updated the Gramm-Leach-Bliley Act (GLBA) of 1999; and previously, the FTC had amended the Rule in the year 2021 to address current technology and expand guidance for businesses.
Comments