Dealership Data Breach Reporting Requirement

On November 13 the Federal Trade Commission posted a significant amendment to the Safeguards Rule. This new Safeguards amendment directly impacts dealers' approach to compliance and how the FTC will be enforcing the Rule. According to the Commission, the goal of the amendment is to “enable more efficient enforcement of the Rule, which will in turn increase financial institutions’ incentive to comply on the amendment.”

Here are the details of the New Safeguards Amendment for Dealers:

• Reporting breaches: The “Final Rule requires financial institutions to report notification events, defined as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the Commission.”

• 30 days to self-report: The notice must be provided to the Commission within 30 days of knowing about the breach and be submitted electronically via a form (forthcoming) located on the FTC’s website, https://www.ftc.gov.

• Enforcement is coming: “The need for and the objective of the Final Rule is to ensure that the Commission is aware of notification events that could suggest a financial institution’s security program does not comply with the Rule’s requirements, thus facilitating Commission enforcement of the Rule.”

• Consumers will know: Once your report is submitted, the FTC may post it publicly for consumers to review. When asked about this, the FTC commented “Making the notices public will enable consumers to make more informed decisions about which financial institutions they choose to entrust with their information, providing financial institutions with an additional incentive to comply with the Rule.”

• Effective date: The amendment will be live on 5/13/2024. It takes time to identify and effectively implement protections that truly minimize the risk of data breaches. Solutions like endpoint detection and response often require installing software on each laptop and desktop. The bottom line? Don’t wait to get started or improve your existing security measures.

Helpful Questions and Answers for Dealers:

What does “unencrypted” mean? According to FTC’s definition, information is unencrypted “if the encryption key was accessed by an unauthorized person.” In other words, this means someone hacked your system and was able to read the information within it.

Why only report unencrypted data breaches? The Final Rule requires a notification to be submitted to the FTC in the event of a breach. The FTC hopes that this will limit the reported events to those that are most serious. If unencrypted data is accessed by unauthorized individuals due to a breach, the likelihood of damage to the consumer increases. The FTC hopes that this caveat will limit the reported events to those that are most serious. This is a good reason to ensure that you are in full compliance with the Rule. To best avoid this, it is recommended to encrypt all customer information at rest and in transit in combination with ongoing 24/7 endpoint detection and response.

Why 500 customers? In the commentary, the FTC relayed that 500 consumers was a large enough amount to justify the potential resources needed to investigate a dealer. They also shared that just because you submitted a notification does not guarantee you will be investigated.

Why 30 days to notify? According to the Commission, a 30-day deadline should be enough time for a dealer to discern what has happened and effectively answer the required reporting questions. While this may seem fast, it is not far off from many state regulations. As a dealer, be sure to check your state mandates for data breaches as you may have to submit two reports separately.

What’s Included in the Form You Must Submit to the FTC?

1. Name and contact information of the dealership

2. The type of information that was breached

3. If possible, the date of the breach

4. The number of consumers affected

5. An overview description of the breach event; unless otherwise specified by law enforcement

Summary

The Commission has made a focused effort to move dealerships into the same regulatory space as banks. This amendment continues that mission. With these changes, dealers can expect stricter enforcement and a consumer experience that impacts buying behavior.

Mosaic is here to help

Mosaic Compliance Services has won the Dealer’s Choice Award for compliance training eight years in a row. We help dealers with everything from complete Safeguards compliance to deal audits to policies. If it’s compliance-related, let us take the work off your plate.

Contact us today to get protected

See us at booth #101.

Mosaic is excited to be attending Industry Summit 2023. See us at booth #101. We'd love to speak with you about your compliance needs.

We solve your compliance problems - affordably!

Mosaic Compliance Services was founded in 2006 by attorneys focused on dealership defense. Over the years, Mosaic has increased the scope of its compliance solutions while consistently driving down our cost, resulting in our private-labeled program winning the Dealers' Choice Diamond Award for Compliance Training eight years in a row (2016 - 2023).

Whether your dealership's compliance concerns involve the revised Safeguards Rule, F&I and sales practices, or sexual harassment, let Mosaic craft a solution that won't break the bank.

Visit our show page to see our team attending the summit and learn more about our offerings. See you there!