Happy New Year, everyone. I don’t think it is too late to wish this to you. As we start this new 2022 year, I know we all hope and wish that COVID-19 will greatly diminish this year and inventory will improve. Unfortunately, in the midst of this uncertainty, the Federal Trade Commission is implementing new Safeguard Rules to protect the privacy rights of consumers for their non-public personal information (NPI). Importantly, please understand that this new rule will become effective on Dec. 9, 2022, but now is the time to start preparing. The National Automobile Dealer Association (NADA) has estimated that compliance will average $293,000 for startup costs and approximately another $275,000 to annually maintain. Further compounding this financial burden is that non-compliance can result in fines of $46,517 per violation. Now that I have your attention, allow me to provide an overview of the new rule.
Implementation is going to require a team effort of ownership, management, technology specialists, and legal counsel.
These changes are modifications to the Safeguards Rule that became effective in 2011 and caused most dealerships to implement an Identity Theft Protection Program commonly referred to as a Red Flags Policy. I remember drafting approximately 50 of these plans for our West Virginia dealers. When first adopted in 2011, the Federal Trade Commission (FTC) used a “reasonableness” standard which allowed a dealership to evaluate risks particular to it and take into consideration its location and history on such privacy violations. The new Safeguard Rules have abandoned this reasonableness standard and created a list of arbitrary requirements that a dealership must follow regardless of its size, volume, or historical experience with privacy rights violations or identity theft events.
The new Safeguard Rules is very detailed, and my intent below is to provide you with a very high-level overview. Implementation is going to require a team effort of ownership, management, technology specialists, and legal counsel. My advice is to start now.
I provided formal comments to the FTC as President of the National Association of Dealer Counsel (NADC) approximately eighteen (18) months ago, and NADA has been intimately involved with the FTC and engaged in constant communication and advocacy with the FTC to lighten the impact of these Rules. One victory that did come from these discussions is that there is no requirement to hire a certified computer information systems specialist, whose salary can exceed six figures. Now the new Safeguard Rule requires the hiring or appointment of a “qualified individual,” which is a substitute for your old “program coordinator.” A dealership is allowed some flexibility for this position, but the person must be qualified to handle your data and be able to design or implement systems and procedures to oversee your particular data. Fortunately, these tasks can be outsourced to technology and security providers.
Periodically, a dealership will be required to evaluate and categorize security risks and threats, define the criteria they used to assess these risks and threats, and how a dealership will either mitigate or accept this risk.
The FTC is going to require a new written risk assessment and information security program. There are also requirements for written procedures to address how a dealership will respond to a breach of a privacy incident and written annual reports to your Board of Directors.
Some more specific requirements, there will be the requirement for a data and systems inventory. This requirement applies to all your computer systems, not just those that store the NPI of consumers. A dealership will be required to inventory all electronic and computer equipment. A dealership will also be required to inventory all software programs and who as access to consumer information, such as vendors, and determine which employees have access to particular consumer information. The inventory could be as broad as a salesman’s mobile phone particularly if they have consumer NPI on the phone or access to it. NADA recommends this inventory be written.
Periodically, a dealership will be required to evaluate and categorize security risks and threats, define the criteria they used to assess these risks and threats, and how a dealership will either mitigate or accept this risk. A dealership will also be required to determine how you will specifically address these issues. This issue is going to require the hiring of an IT security firm or person or greater consultation with your existing IT provider.
The written security plan will be required to address certain regulatory required objectives and substantive areas. These are set forth in the FTC Safeguard regulation and are quite detailed and beyond the space limits of this article. Please understand that NADA is working on templates that can be molded to your particular dealership. Consequently, some help will be forthcoming.
As stated above, a written incident response plan will be required and must address clear procedures for how a privacy violation will be handled. This will obviously require time to evaluate and decide how you will respond, who will be involved, and what specific tasks will be undertaken. The FTC wishes to make sure that a dealership has given a serious evaluation and thought to this. A dealership will then be judged how they followed this response plan in the circumstance of a privacy violation or identity theft event.
Our technology systems will require encryption capability for information disseminated from our dealerships and multi-factor authentication for access to consumers’ NPI. This will further require system monitoring and periodic penetration testing and vulnerability assessments. Importantly, this also applies to vendors who have access to our systems. Consequently, communications and coordination with vendors need to be undertaken to implement the Rule by the end of this year.
Dealerships are going to be required to have controls for access to consumer information. This will require the potential expenditures of monies for new software to accomplish this requirement, and there is an additional requirement to oversee management procedures to access consumer information. Interestingly, the Rule asks that consumer information be deleted after two years, which we, as dealerships, cannot do, but there are “business purpose” exceptions. Unfortunately, this means that dealerships are going to have to evaluate this, justify the business exception, and create more formalized document retention and destruction policies.
Of course, all this is going to require initial and ongoing training for all personnel, which will be required to be documented and verified. Last, one of the most challenging tasks, after determining who has access to your customers’ information, is then reviewing the contracts of vendors and determining if the vendors are complying with the new Safeguard Rules. I would recommend reaching out to these vendors and requesting updated contracts or addendums which are Safeguard Rule compliant. They also need to communicate to you how they are becoming compliant with the new Safeguard Rule.
This will be quite a challenge, so I recommend starting now. I have been informed that NADA is putting out a Driven guide soon with templates to consider. This will be very helpful, and in the legal world, forms are dangerous if applied blindly without thought and consideration about how you do business and an evaluation of your individual needs and exposures. I strongly encourage you to reach out to knowledgeable counsel, and as always, the Association stands ready to assist you.
