The automotive dealership industry is abuzz with talk about the revised FTC Safeguards Rule. The potential for FTC enforcement action, combined with fines of $50-120 per violation, has dealerships rightfully concerned.
However, while the industry is fixated on these substantial fines, a more covert and dangerous threat is present: data breaches.
Fear Mongering and Misinformation
It is no secret that some vendors are exploiting the industry’s general inexperience with these specific requirements by capitalizing on fear of the FTC. Aggressive marketing campaigns, filled with dire warnings and hyperbolic statements, are often designed to simply push their products and make a quick buck. One such campaign even claims that dealerships could be fined $50,120 per text or email containing customer personally identifiable information (PII)! By this logic, all the text and emails between a salesperson and a customer sharing an address or phone number could potentially bankrupt a dealership. This is preposterous because not only would it be extremely unlikely for the FTC to enforce the regulations this way, it is also a complete misunderstanding of the Safeguards Rule, which regulates only non-public personal information (NPI), not PII.
But let’s cut through the noise and focus on the real issue at hand: data breaches.
Data Breaches: The Actual Menace
As difficult as it is to admit, the FTC’s primary motivation behind the Safeguards Rule isn’t just to levy fines on covered businesses and dealerships. As noted by the NADA, the Safeguards Rule was originally created in response to widespread harm to customers caused by data breaches and cyberattacks.
On the whole, data breaches and cyberattacks have grown significantly over the past two decades (since the last time the Safeguards Rule was updated in 2003). Hackers, fueled by the potential for significant monetary gains, a low risk of getting caught, and a global footprint, have launched cyberattacks on businesses at an astronomical rate. One statistic shows that a cyberattack occurs every 39 seconds! On the other hand, the FTC, given its finite resources and team of auditors, can only oversee a limited number of dealerships annually.
It is telling that the number of dealerships that have undergone FTC inspections in recent months can be counted on one hand, yet dealerships experience cyberattacks almost on a weekly basis. Furthermore, while an FTC visit might typically be a rare occurrence, a publicized data breach of your dealership skyrockets this likelihood to a near certainty.
If you think five-star Google reviews are tough to acquire now, just wait until word gets out that your dealership had a data breach or that someone walked off-site with a banker’s box full of deal jackets.
Dealerships are On the Menu
Dealerships are ideal victims for hackers. Coupled with poor data protection and cybersecurity protocols across the industry, dealerships are regular targets due to their vast reservoir of customer data involving sensitive financial and credit information. However, recent statistics reveal that only 37% of auto retailers are confident in their current protection.
Apart from the immediate financial repercussions, a data breach can diminish customer trust, tarnish a dealership’s image, and lead to legal complications. Not surprisingly, studies have shown that most consumers won’t purchase from a dealer that has had a data breach. If you think five star Google reviews are tough to acquire now, just wait until word gets out that your dealership had a data breach or that someone walked off-site with a banker’s box full of deal jackets.
Astonishingly, the average financial toll of a single data breach is an eye-watering $4.45 million in 2023, which is an increase of 15% over the past three years.
Confronting the Threat Proactively
Chris Cleveland, ComplyAuto’s CEO, in partnership with Brad Miller, NADA Regulatory Affairs Director, hosted a webinar on the Safeguards Rule for the NADA and its members. The session underscored the significance of preventing a data breach by implementing the following protections at a typical dealership:
- Penetration Testing: A mock cyber assault on your dealer’s network infrastructure to pinpoint potential weak spots.
- Vulnerability Scanning: Identifying and addressing common vulnerabilities in your computer systems that often lead to cybersecurity incidents
- Threat Detection: Employing endpoint detection and response software to monitor systems for attacks and malware around the clock.
- Phishing Simulations: Evaluating employees’ responses to counterfeit phishing emails to prepare them for genuine threats.
- Unauthorized Activity Monitoring: Utilizing data-leak prevention (DLP) software to monitor and regulate data movement across the company’s network.
- Multi-Factor Authentication (MFA): Deploying MFA, a verification method requiring multiple authentication factors, across all devices and software.
- Encryption: Safeguarding data by ensuring it is encrypted at rest (e.g., stored on hard drives), and in transit (e.g., email and text).
While the updated Safeguards Rule accentuated the importance of compliance with a swath of new requirements, dealerships must understand that the genuine peril to a dealership isn’t merely regulatory fines. We need to prevent the catastrophic and debilitating consequences of a data breach, which will in turn invite FTC scrutiny. By channeling their efforts towards comprehensive cybersecurity initiatives and routinely championing data protection practices, dealerships can shield their enterprise, their customers, and their esteemed reputation from these bad actors.