Alert: FTC’s New Data Breach Reporting Rule and Implications for Dealerships

By Chris Cleveland
Co-Founder and CEO

The Federal Trade Commission (FTC) has recently intensified its stance on consumer data protection by unveiling a significant amendment to the FTC Safeguards Rule. This directive, centered around data breach reporting, is of paramount importance to all dealerships across the country. The legal team at ComplyAuto has reviewed the published amendment and FTC comments at length and have summarized their findings below.

Mandatory Reporting and Increased Accountability

Dealerships are now obligated to promptly report any data breach affecting 500 or more customers directly to the FTC. Beyond the act of reporting, this rule ushers in heightened accountability. An electronic report to the FTC not only standardizes the process but also triggers an immediate investigation into the dealership’s security protocols and compliance with the Safeguards Rule.

FTC’s Unambiguous Position on Data Breaches

Within the FTC’s comments, it states that “[t]he Commission believes that taking action to correct a potential Safeguards Rule violation before additional security events can harm consumers is appropriate and desirable.” This statement underscores the FTC’s commitment to proactive consumer data protection and to go after violating businesses with the full force of the federal government.

Encryption: A Non-Negotiable Requirement

The amendment specifically places a significant emphasis on encryption. Dealerships must report breaches involving “unencrypted” data, making it imperative for dealers to adopt encrypted messaging tools and ensure the encryption of device hard drives in order to secure their customer information. Not doing so would not only put you at significant risk to a data breach but also squarely in the FTC’s crosshairs.

Time-Sensitive Reporting and Public Disclosure Risks

Dealerships are afforded a mere 30 days from the discovery of a breach to report it to the FTC. The FTC’s decision to make these reports public heightens the risk of negative media attention, reputational damage, and a potential erosion of customer trust. In such a highly competitive industry and the importance of personal information, being publicly named in a data breach could mean the difference between losing a customer or losing a dealership.

ComplyAuto: The Ultimate Shield in Data Breach Compliance

Dealerships that are currently lagging in compliance are treading very dangerous waters, but by mid-2024, when this amendment becomes effective, the full force of the Safeguards Rule will be in play. “Flying under the radar” will no longer be an option and non-compliance could lead to serious regulatory and reputational consequences.

As an NADA Affinity Provider that is endorsed by over 35 state dealer associations, ComplyAuto is the singular one-stop solution for the Safeguards Rule and all of its iterations. It is the only platform that offers encryption tools for messaging and devices, directly catering to the stringent encryption requirements of the amendment.

Key Takeaways: Navigating the New Data Breach Reporting Landscape

For dealerships to stay ahead of the curve, understanding the crux of the new rules is essential:

  • Mandatory reporting of breaches affecting 500+ customers.
  • Required electronic reporting via an FTC-provided form.
  • Emphasis on encrypted messaging tools and device hard drive encryption.
  • Only breaches involving “unencrypted” data are reportable.
  • A strict 30-day reporting window post breach discovery.
  • Public disclosure by the FTC, with associated reputational risks.
  • Full rule enforcement expected by mid-2024*.

For more information about our Safeguards Rule solutions, please visit us at or email us at


*The amendment becomes effective 180 days after it is published in the Federal Registrar. We will keep our clients up-to-date and notify you when that occurs.

2 Comments. Leave new

  • Chris, does this amendment require the encryption of email? Obviously nobody can control the characteristics of incoming email messages. What about outgoing? What say you?

    • Yes, the original rule that went into effect on June 9th, 2023 requires the encryption of outgoing emails, as well as any other outgoing communications containing customer NPI (i.e., the “encryption in transit” rule). For most emails, TLS will suffice, but end-to-end encryption using a third-party tool may be necessary for more sensitive information.


Leave a Reply

New High-Risk Cybersecurity Threat and Proactive Measures to Ensure Safety
Session Replay Tools: Data Analytics Gold Mine or Privacy Pitfall?

We want to enroll our employees in preventative training to prevent BAR citations and fines.

We received a citation or disciplinary action and need to take remedial training.

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Remedial Training and Attorney General Disciplinary Order - $299/student

            The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

            This course fulfills both of these requirements.

            Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


            • Comprehensive online course about the Automotive Repair Act
            • Instruction by providers certified by the BAR
            • Access to training materials anytime (24/7/365)
            • Comprehensive manual that is a companion to the course
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion
            • Automated notification to the Bureau of Automotive Repair, if applicable


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

            “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

            BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

            All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


            • Online training course about the Automotive Repair Act
            • Only training course that is approved by BAR
            • Access to training materials anytime (24/7/365)
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion


            • Lower risk of BAR scrutiny by standardizing correct practices
            • Increased customer satisfaction
            • Establishes good faith efforts and may avoid BAR citation and fine
            • Professional development for service writers and technicians
            • Eligibility for the EduTech Guarantee

            Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

            • Sexual harassment (supervisory and non-supervisory)
            • Active shooter
            • Workplace violence
            • Social media use
            • Biometric data (timekeeper or key lockbox)

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement