In 2024, many in the automotive retail industry, including dealer associations and industry consultants, speculated that a new presidential administration would bring sweeping deregulation, including a potential slowdown in the enforcement of rules like the FTC Safeguards Rule. That belief was circulated through 20 Groups, dealer forums and vendor channels, prompting some dealers to question whether continued investment in cybersecurity compliance was necessary.
However, recent research and enforcement data show that the expectation of lighter federal oversight may be more myth than reality, especially when it comes to the Federal Trade Commission. At OCD Tech, we analyzed FTC enforcement activity across administrations and found that the agency’s actions have been strikingly consistent — regardless of who is in the White House.
Let’s look at the data.
Myth #1: FTC Enforcement Is More Lenient Today
When we compared full-term FTC enforcement activity in the auto industry between the current administration’s first term and the past administration, we found nearly identical numbers:
- Current Administration: 19 enforcement cases involving the auto industry.
- Past Administration: 20 cases.
The same pattern holds when we zoom out to FTC enforcement across all industries:
- Current Administration: 925 total FTC enforcement actions.
- Past Administration: 926 actions.
This shows no meaningful difference in enforcement volume or intensity between administrations. Regardless of changes in leadership, the FTC has remained active in pursuing consumer protection violations — including those tied to cybersecurity and data handling.
Myth #2: A Second Trump Term Will Bring Immediate Deregulation
Some in the industry believed that a second Trump term would quickly reduce or delay enforcement of the Safeguards Rule. But enforcement patterns during the first 100 days of each term suggest otherwise.
- In the first 100 days of Trump’s second term (2025): 2 enforcement actions in the auto industry.
- Biden’s first term (2021): 0 actions in the auto industry.
- Across all industries:
- Current Administration: 49 FTC enforcement actions
- Past Administration: 51 FTC enforcement actions
Again, the numbers are virtually identical. The FTC has proven to be a nonpartisan enforcement body — continuing its oversight work no matter the political landscape.
The Real Enforcement Mechanism: Breach Reporting
One reason some dealerships downplayed the risk of FTC enforcement is that, historically, few enforcement actions have directly cited the Safeguards Rule. However, that changed in May 2024, when a new FTC breach notification requirement took effect. This rule mandates that covered entities — including auto dealerships — must notify the FTC within 30 days of discovering certain security breaches involving customer information.
This change created a built-in enforcement mechanism. If a dealership suffers a qualifying breach and fails to report it, they are now subject to regulatory scrutiny, not based on a random audit, but due to a failure to comply with a mandatory disclosure requirement. This adds insult on top of injury for a breached dealership.
The FAQ That Raised Eyebrows
In May 2025, the FTC published a new FAQ addressing common questions about the Safeguards Rule, including which businesses are covered, how to meet encryption standards, and what a written information security program should include. While the agency hasn’t published any formal cases against auto dealerships under the Safeguards Rule, the timing of this FAQ was notable given that we saw several dealerships fall victim to ransomware attacks within the past year.
It came almost exactly one year after the CDK Global ransomware attack, which disrupted operations at over 15,000 dealerships nationwide. Though the FTC has not stated that the FAQ was issued in response to events like these, it’s reasonable to interpret the publication as a proactive reminder: Dealerships are still very much subject to the Safeguards Rule, and enforcement may simply be a matter of time.
State Laws: The Hidden Threat to Noncompliant Dealers
Even if federal enforcement seemed to pause — again, the data doesn’t support that — it wouldn’t mean dealers are in the clear. As of July 2025, 19 U.S. states have passed comprehensive data privacy or cybersecurity protection laws, with most others having some sort of basic protection laws for residents, and many industry-specific ones at the state level. More states are introducing bills every year, and these laws increasingly apply to businesses that collect consumer or employee data.
Just weeks ago, Oregon proposed an amendment targeting cybersecurity and data protection responsibilities within the auto industry, starting with manufacturers but potentially extending accountability to dealers. This is a trend worth watching, especially as many of these state laws carry private right of action provisions, enabling consumers to file lawsuits independently of government enforcement.
Litigation Risk: Class Actions and Ransomware Fallout
In several high-profile ransomware cases affecting dealerships over the past year, we’ve seen a sharp rise in class action lawsuits filed not only by consumers but also dealership employees whose personal information (including Social Security numbers) was exposed. Even when regulators don’t act, civil litigation can be financially devastating.
Cybercriminals are increasingly aware of Safeguards Rule requirements and use them to their advantage. In some cases, attackers have threatened to report noncompliant victims to authorities if ransom demands aren’t met. While this tactic hasn’t been widely seen in auto retail yet, it’s a known trend in other industries and further underscores the importance of timely breach reporting.
A Practical Path Forward
Fortunately, there is good news. Most federal and state data protection rules overlap significantly. The FTC Safeguards Rule, state privacy laws and even consumer litigation risk can all be addressed by adopting foundational cybersecurity practices that protect customer and employee data.
At OCD Tech, our approach is rooted in the Center for Internet Security (CIS) Controls — a set of prioritized actions developed by experts to reduce risk. We help dealerships build risk-based, evolving information security programs that align with legal requirements but are also practical and scalable. That means no wasted effort — just smart, defensible security strategies.
Conclusion: Focus on Risk, Not Rhetoric
Dealers don’t need to obsess over political cycles to make smart decisions about cybersecurity. Enforcement data shows that FTC action has remained steady, regardless of administration. More importantly, the risk landscape — ransomware, litigation, state laws — is growing more complex.
Rather than guessing what Washington, D.C., will do next, the safer bet is to treat compliance as a business risk, not a regulatory checkbox. The FTC Safeguards Rule isn’t just about rules — it’s about protecting your dealership, your customers and your employees from real and growing threats.
To learn more about OCD Tech — SecurePath, please visit securepath.ocd-tech.com or email Robbie Harriman at rharriman@ocd-tech.com. Robbie is director, advisory services at OCD Tech. Robbie joined the firm in May of 2016. Prior to working at OCD Tech, Robbie worked in IT for other companies, including the heavily regulated casino industry. He currently oversees OCD Tech’s Advisory services, which include security assessments as well as government compliance services, including DFARS, NIST and CMMC for organizations in the Defense Industrial Base. Robbie has a diverse range of experience in the IT field, with a deep background in IT systems administration and control areas. Robbie presents regularly at events and contributes to security-related publications.
