By Brad Miller
Chief Compliance/Regulatory Officer
Fact: Although the FTC Safeguards Rule contains a limited exception for financial institutions with fewer than five thousand customer records, even smaller dealers are likely to meet that threshold (whether they realize it or not) and in any event, the exemption only applies to limited parts of the rule, and thus all dealers still need to comply with the rule overall.
Fiction: Smaller dealers have no reason to worry about the FTC Safeguards Rule because they are exempt.
There is a common misunderstanding among some in the dealer world that small dealers do not need to comply with the Federal Trade Commission’s (FTC) Safeguards Rule. While it is true that the Rule includes an exception that states several provisions of the Rule do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers, there are compelling reasons why smaller dealerships should still prioritize compliance with the FTC Safeguards Rule.
Reason 1: Most Dealers Likely Have More Than 5,000 Customer Records
Many dealerships may underestimate the number of consumer records they actually maintain. It’s more than simply the annual number of vehicle sales and leases at your store. That’s because most dealers “maintain” far more customer records than sold/leased vehicle records.
Consider the following:
Federal Retention Obligations: Dealers are required to maintain records related to transactions, including those that were not finalized, for at least 25 months1. This means that dealers are required to have at least two years worth of consumer records.- Record Retention Policies: Even if not required, most dealers maintain records for far longer to prove compliance, and to defend against potential consumer claims – often up to 5 or 6 years depending on their state’s statute of limitations.
- CRM Data: Most dealers maintain information about consumers and potential consumers in their Customer Relationship Management (or equivalent) system. These records are far broader than just “sold” deals, and are often retained for a long period of time.
- Website Visitors: Under the Safeguards Rule, certain website visitors are considered consumers, and the records (even the cookies) related to these visits constitute Non-Public Information (NPI). This is likely to involve many additional consumers.
Federal Retention ObligationsGiven these factors, many “small” dealerships may find they exceed the 5,000-consumer threshold without realizing it.
Reason 2: Limited Exemptions for Smaller Dealerships
Even if a dealership qualifies for the under-5,000 consumer exemption, it’s important to understand that this only excuses them from certain specific requirements. If applicable, the exemption would only excuse the obligation to: a) conduct a risk assessment; b) perform penetration testing and vulnerability assessments; c) have a written incident response plan, and; d) draft an annual board report.
While these exemptions can be helpful for very small dealers, it’s crucial to note that all dealers, regardless of size, must still comply with numerous other requirements under the Rule. The “laundry list” of other obligations remains in effect, including the appointment of a qualified individual, MFA, encryption, other policies and procedures, and more.
Reason 3: Contractual or Other Obligations to Comply
Outside of the strict legal requirements of the Rule, small dealers need to understand that Safeguards compliance is not just a good data security best practice, it may be required by contract. Often OEM, finance company, insurance or other agreements contain requirements to comply with federal privacy and data security obligations, including the FTC Safeguards Rule. Dealers are encouraged to review their agreements to determine the scope of these obligations.
Lastly, no dealer wants to be in a position where, heaven forbid, a breach event occurs, but if you are, the first line of defense is pointing to your FTC Safeguards Rule compliance to establish that you undertook reasonable steps to address data security.
The broad definition of customer information, the comprehensive nature of the remaining requirements, along with various non-regulatory requirements make it prudent for all dealerships, regardless of size, to take steps to comply with the Safeguards Rule if they do not already.
ComplyAuto has made it simple, and has you covered with a full suite of compliance tools and services for easy and comprehensive Safeguards Compliance. Contact ComplyAuto today to learn more.
1 The Equal Credit Opportunity Act (“ECOA”) and Reg B require dealers to maintain records of all written or recorded information in connection with a consumer credit application (completed and dead deals) for 25 months. See 12 CFR 202.12(b).