Across a number of industries, including the retail auto industry, the data landscape is changing drastically, and the volume of data our dealerships collect is growing exponentially. As dealers, we rely on this data to serve our customers—whether it’s assisting with finance transactions or alerting customers for service. The data we maintain is at the heart of our businesses and core to our customer relationships and reputations. With this in mind, dealers have always taken significant steps to protect our customers’ private information, and that will remain an essential priority for us going forward.
But recently the Federal Trade Commission issued a notice of proposed rulemaking to amend the Safeguards Rule. This would require dealerships to, among other things, adopt specific, minimum technological standards to protect the data we collect. Some of these requirements include encrypting customer information, multi-factor authentication, and hiring a chief information security officer (CISO) to oversee a dealership’s information security program and report to its board of directors. While employing these measures may be desirable, they do not exist in a vacuum, and there has been no demonstration that all of them are necessary to protect customer information.
Not only would these prescribed measures add enormous compliance costs—an average one-time, up-front cost of $293,975 and an average annual cost of $276,925—they also fail to account for business size, risk and sensitivity of the data collected by entities required to comply with the rule.
The existing Safeguards Rule has afforded dealers the flexibility to employ data safeguarding tools that make sense based on the nature of our respective businesses. In contrast, the FTC’s proposed changes would dictate that all dealerships across the country implement all items on a long list of security tools and requirements. The cost of these changes might be easy for a megabank like Citibank to absorb, but as we’re all aware, most dealerships are small, Main Street businesses, and we don’t have the same resources.
While we all support protecting customer information and dealers should proactively review with their vendors the adequacy of their security measures, the FTC’s proposed one-size-fits-all rulemaking is not the right approach. Indeed, Automotive News made just this point in an editorial published earlier this month.
NADA is hard at work on this issue. In addition to submitting detailed comments to the FTC, we are leading comprehensive educational sessions with key reporters and media outlets, including Automotive News. Our priority is opposing the proposed sweeping amendments to the Rule and highlighting the significant impact they would have on dealers if adopted. NADA’s goal is to obtain a regulatory approach that protects sensitive data appropriately but still allows dealers across the country to focus on our core business: serving customers and meeting their needs.