August 4, 2021

Industry strengthens opposition to fortified Safeguards Rule

The National Automobile Dealers Association submitted renewed objections to the Federal Trade Commission’s proposed Safeguards Rule amendments, which beef up requirements for financial institutions to protect consumer data.

In a periodic review of its data protection guidelines, the federal watchdog proposed in March 2019 several amendments governing what steps financial institutions should undertake to reasonably prevent data breaches. Dealerships are obligated to follow the Safeguards Rule because of their indirect financing relationships with lenders and the fact they store sensitive consumer information in their software.

In its renewed comments, submitted Aug. 12, NADA urged the FTC to revisit its proposed changes and conduct a cost-benefit analysis.

“No financial institution or other business wants to suffer a data breach or other security incident, yet the emerging consensus is that there is simply no way to ensure with certainty that a breach will not happen,” NADA said in a letter last week. “We urge the Commission to take a second look … to take the time to first define what data must be protected under the Rule in light of today’s market realities; to review the best practices in data security, and to analyze the net cost and security benefit of each of these best practices.”

In a recent industry workshop discussing the efficacy of the proposed changes, NADA reiterated claims the cost burden of the new procedures would be crushing to U.S. dealership operations, which primarily function as small local businesses.

The FTC sought comment on potential revisions to the rule in March 2019. The changes add more detailed requirements for what constitutes a “comprehensive” information security program.

“The proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data,” the FTC said in a statement last year.

Adding a chief information security officer position at dealerships — one of the FTC’s proposed changes — would be particularly burdensome, NADA said. The position would be a costly addition, the association said, and is one often outsourced by smaller dealership groups. The organization noted that “the risks of appointing one ‘qualified’ individual to address a financial institution’s data security posture” were discussed during the workshop.

Adding details to the rule would remove ambiguity but also flexibility. NADA says the current rule “has the distinct advantage of being ‘self-modernizing.’ ”

“That is, because what is ‘reasonable’ changes over time with advances in technology and changes in the market, the current Rule allows financial institutions to protect their data in different, but equally reasonable ways,” the letter said.

NADA’s 2019 analysis of the cost burden of the additional requirements found that these changes could add billions of dollars in costs to U.S. dealerships without guarantees of preventing data breaches, as the changes intend. Broken out on a per-store basis, midsize dealerships could be spending $367,550 initially to comply with the rules and $336,050 in annual costs for data security, the association said.