NADA Issues Preliminary FAQ Document
The Federal Trade Commission recently issued its long-awaited, final amendments to its Safeguards Rule. The rule includes a significant number of new and expanded procedural, technical and personnel requirements that financial institutions, including dealerships, must satisfy to meet information security obligations.
The new requirements include:
(a) developing and implementing specific components of an information security program, such as access controls, authentication and encryption; and
(b) requiring actions related to the program’s accountability, such as hiring or retaining “qualified” personnel and conducting periodic reports to the financial institution’s governing body.
Since the amendments were proposed, NADA conducted wide-ranging advocacy with the FTC including submission of two sets of extensive written comments challenging the need for and practicality of many of the proposed new requirements, urging the Commission to conduct a cost-benefit analysis on each of them. The comments referenced an NADA-commissioned independent cost study that outlined the significant additional costs required for the average dealer to meet the new proposed requirements.
Although the FTC made significant changes and provided important clarifications to the proposed amended rule in response to NADA’s input, many of the amendments in the final rule will require dealerships to adopt new information security measures. While several of the new obligations may already be in place at many dealerships, others vastly expand what most have developed and will require additional investment in software, technology and, potentially, personnel. The challenges involved in the satisfying the new obligations could also increase dealerships’ liability exposure.
Dealers, as well as their relevant technology vendors, must comply with most of the new requirements of the rule within one year of its upcoming publication in the Federal Register. Several of the new requirements do not apply to financial institutions that maintain customer information on fewer than 5,000 consumers.
NADA will develop and distribute comprehensive compliance guidance for NADA member dealerships. In the meantime, attached are preliminary FAQs about the amended rule. Dealers should carefully review this information and reach out to their technology vendors as soon as possible to ensure that they will also be able to comply with these extensive new requirements.