Does your dealership have Safeguards in place to protect customer information? Or does your dealership just say that it protects customer information? The FTC recently found the latter to be a UDAP violation. New changes to the Safeguards Rule will likely firm up this interpretation and make it more important for dealerships to have robust computer network security in place.
This video was originally published in May 2019.
Changes to the Safeguards Rule
On January 10th, 2022, an updated version of the Safeguards Rule became law. The biggest change was the abandonment of the “reasonable” standard. What was once subjective became objective – certain tasks had to be undertaken and demonstrated, whether it was reasonable or appropriate in the dealership environment or not.
Those mandatory provisions include:
Appointment of a single “Qualified Individual” to oversee a dealership’s Safeguards efforts;
A thorough, written risk assessment that includes a vulnerability assessment of the dealership’s computer network;
A written Information Security Program document, or “WISP” that addresses the risks identified in the risk assessment;
Multi-factor authentication to gain access to networks containing customer data;
Encryption of customer data, both in transit and at rest;
Network intrusion monitoring;
Enhanced training;
Annual written reports to senior management; and
Selection of service providers that can demonstrate compliance with the Safeguards Rule, and termination of service providers that do not.
The downside of failing to comply with the Safeguards Rule is substantial. Potential fines can run to $46,517 per violation; that number is adjusted upward for inflation annually.
Although the odds of becoming subject to FTC fines may be remote, the FTC has defined violations of the Safeguards Rule to constitute a deceptive trade practice. This is ammunition for the plaintiff’s bar and opens the possibility of punitive damages in civil actions.
The Franklin Toyota Case
A few years to an FTC enforcement case called Federal Trade Commission versus Franklin Toyota. In that case, the FTC alleged that Franklin Toyota had failed to follow the Safeguards Rule. Specifically:
They failed to conduct a risk assessment.
They failed to adopt policies such as an incident response plan to prevent or limit the extent of unauthorized disclosure of personal information.
They failed to adequately train their employees
As a result, their computer network was hacked and they lost the personal information of over 95,000 customers including names, social security numbers, dates of birth, addresses, and driver's license numbers. This type of data breach creates an enormous risk of identity theft and identity cloning.
The scary part came in the consent order. In the consent order, the FTC alleged the dealer has represented expressly or by implication that it implements reasonable and appropriate measures to protect consumers' personal information from unauthorized access. What the FTC meant was that the dealer promised its customers that it would follow the Safeguards Rule. Where did it make that promise? The same place you make that promise: in your Privacy Policy Notice.
The Privacy Policy Notice came from the same organic law as the safeguards rule—the Gramm-Leach-Bliley Act. They're related! They relate to one another. It's like they're in the same Union. And in the Privacy Policy Notice is the following sentence:
“We employ physical electronic and procedural safeguards to protect your non-public personal information in accordance with federal law.”
Everybody says that because that's the model language that's included in the federal form Privacy Policy Notice that everybody uses and the physical, electronic, and procedural Safeguards that Franklin Toyota promised to employ were the ones that are described in the Safeguards Rule.
But Franklin Toyota didn't follow their own policy. They promised every customer in writing that they would follow the Safeguards Rule and they failed to make good on that promise. Why is that so serious? In the next paragraph we read:
“In truth and in fact the dealer did not implement reasonable and appropriate measures to protect consumers personal information from unauthorized access. Therefore the representation set forth in paragraph 13 was and is, false or misleading in violation of Section 5 of the FTC Act.”
What that means in plain English, is that if you don't follow the Safeguards Rule after promising all of your customers that you will, it constitutes unfair and deceptive trade practice. Let that sink in. It is an unfair and deceptive trade practice because that's what we find in Section 5A of the FTC Act. If it's an unfair and deceptive trade practice you could potentially be liable for punitive damages, class action lawsuits, and terrible press. In essence, the perfect storm.
Failure to follow the safeguards rule potentially can be seen as a deceptive trade practice and that's the claim that we'll shoot the lock off your wallet. It's always been important to protect customer data, but in the wake of the Franklin Toyota case and the recent changes to the Safeguards Rule, it is more important than ever. Follow the safeguards rule, protect customer data, and protect your dealership.
Banks and Other Finance Sources
Perhaps the most significant downside risk is the threat that banks and other finance sources may not be permitted to purchase dealers’ installment sale contract or lease agreements. This is because dealerships are Service Providers to those finance sources, and Service Providers must demonstrate compliance with the Rule in order to do business with financial institutions covered by the Rule, which banks and captive finance companies certainly are.
In recent years we’ve seen the CFPBs interpretation of the Fair Credit Reporting Act put pressure on dealers to cap their rate mark-up, a key source of dealer revenue. Ultimately it was banks that limited the amount that dealers could earn through dealer markups after they were pressured by the CFPB to do so. It is possible the CFPB won’t let banks buy the paper of dealerships that haven’t documented Safeguards compliance.
You may also remember the DoD’s reinterpretation of the Military Lending Act back in December of 2017, to paraphrase, someone in the Department of Defense said, “You know what, we really think that the automotive finance exemption doesn’t really apply when it comes to GAP,” and overnight dealers were not allowed to sell GAP to anyone that was covered by the Military Lending Act. It cost dealers, depending on their location, tens of thousands of dollars a month, but the compliance was almost instantaneous, and almost totally uniform across the board. Why? Because banks wouldn’t buy a deal that had GAP in it unless you had a document that said, “This customer is not covered by the Military Lending Act.”
Pressuring finance sources is the regulators' most effective tool. It is unlikely that the CFPB will forget they have that tool because the man who voted for the Revised Safeguards Rule, Rohit Chopra, on his last day as a Federal Trade Commissioner, went across the street and took his new job, as the Director of the CFPB.
It is reasonable to believe, that these two agencies are going to coordinate and cooperate. But in a sense, it doesn’t even matter, because we’ve already seen dealers get contract addenda from their banks, where the banks are, by contract, saying things like, “We will not buy your paper if you don’t document that you are complying with the rule, and if we ever find out that you are not complying, all the paper becomes recourse paper.” Forget the CFPB. Forget the FTC. If banks do that generally, if it becomes the industry standard, I don’t care which bullet hits you, you’re still dead. You have no guarantee that you’ll be able to sell your paper on December 9th, if you’re not complying. That’s the enforcement mechanism that we are most worried about.