Dealership Guidance: Safeguards Rule (FTC) and Privacy Rule (GLBA)

This guidance from Tekion explains recent clarifications from the Federal Trade Commission (FTC) regarding the 2023 amendments to the Safeguards Rule. The FTC issued this new guidance to address the unique operational realities of modern dealerships, which now face more specific and stringent data security mandates. Because your dealership arranges financing or leasing, you are considered a "financial institution" and are uniquely subject to both the Safeguards Rule and the Privacy Rule. Both regulations govern how you handle sensitive "nonpublic personal information" (NPI), such as social security numbers and credit history. 

Summary of Safeguards Rule Amendments 

The original Safeguards Rule gave businesses flexibility in how they protected customer data. The recent amendments make the rule more prescriptive (requiring specific mandatory actions rather than allowing flexible approaches) by requiring specific actions and documentation. The goal was to strengthen data security standards and ensure they keep pace with current technology. Key changes include the mandate to designate a “Qualified Individual” to oversee the program, conduct formal written risk assessments, implement specific technical controls like encryption and multi-factor authentication, and create a detailed written incident response plan. 

Key Points:   

The Safeguards Rule focuses on protecting customer information. It mandates that you develop, implement, and maintain a detailed, written information security program with specific administrative, technical, and physical safeguards to actively protect customer data. The recent amendments identified the following prescriptive requirements. 

• Designate a Qualified Individual (New Requirement): Formally designate a qualified individual to oversee, implement, and enforce your information security program.   
• Conduct a Written Risk Assessment (New Requirement): Perform and document a written risk assessment on a periodic basis that identifies foreseeable internal and external risks to the security and integrity of customer information.   
• Implement Specific Technical Safeguards (New Requirement): Put in place specific technical controls, including encrypting all customer information both on your systems and during transmission, and implementing multi-factor authentication (MFA) for any individual accessing systems that contain customer information. 
• Create a Written Incident Response Plan (New Requirement): Develop and maintain a written plan detailing how you will respond to and recover from a security event, such as a data breach. 
• Oversee Third-Party Vendors: Conduct thorough due diligence on your service providers and third-party vendors, and ensure all contracts include specific requirements for them to implement and maintain appropriate technical, administrative, and physical safeguards for any customer information you share with them.  
• Manage Your Unified DMS Database: Store protected financial data alongside other information in a unified system with the understanding that your security program must cover the entire database to prevent unauthorized access to any sensitive information.  
• Violations and Penalties: Violations and Penalties: Fines of up to $100,000 per violation for the dealership. Individual fines of up to $10,000 per violation may also apply to corporate officers and other individuals found to be in violation. 

Summary of GLBA Privacy Rule 

Although the 2023 Safeguards Rule amendments did not change the Privacy Rule, this regulation remains critical for dealers given their unique compliance position. The Privacy Rule focuses on transparency, requiring you to provide customers with clear notice of your privacy policies and their right to opt-out of certain data sharing. Understanding your distinct obligations under each is critical, as compliance with one does not satisfy your duties under the other. 

Key Points:   

• Privacy Notices: Provide customers with clear and conspicuous notice explaining your privacy policies when establishing the customer relationship (such as during financing or leasing transactions). 
• Right to Opt-Out: The privacy notice must also describe the customer's right to opt-out of having their NPI shared with certain nonaffiliated third parties. 
• Violations and Penalties: Violations such as failure to provide adequate privacy notices, not honoring opt-out requests, or improperly sharing nonpublic personal information with nonaffiliated third parties can be considered unfair or deceptive acts under the FTC Act that may result in significant civil penalties of up to $50,120 per violation for the dealership. 

Dealership Specific Guidance Under Both Rules 

• OEM and Third-Party Data Sharing: You are responsible for the security of customer data when sharing it with OEMs and other third parties. This means conducting thorough due diligence on your service providers and third-party vendors, particularly OEMs due to the volume and frequency of customer information routinely shared for warranty, recalls, and incentive programs. You must ensure all contracts include specific requirements for them to implement and maintain appropriate safeguards for any customer information you share, and that you have audit rights to verify their compliance.   
• Unified DMS Database: When you store all customer data—both financial and non-financial—in a single database, you must implement access controls and other safeguards across the entire database to ensure that only authorized personnel can access sensitive customer information, regardless of where it resides in the system. 
• Privacy Notice and Customer Relationship: The Privacy Rule requires you to provide customers with clear and conspicuous notice explaining your privacy policies when establishing the customer relationship (such as during financing or leasing transactions). You must also deliver annual privacy notices to customers if you hold their retail installment contracts or are the lessor on a lease. 
• Service Department Data Handling:  When your DMS integrates service records with financial data, the entire customer file falls under Safeguards Rule protection. This means service advisors, technicians, and other staff accessing customer records must have appropriate authorization and your access controls must prevent unauthorized viewing of sensitive information across all system modules. 

Compliance Best Practices Checklist 

Use this checklist to ensure you are following best practices for both rules. 

Safeguards Rule Checklist 

✅ Designate Your "Qualified Individual": Formally assign a specific person to be responsible for your information security program. 

✅ Document Your Risk Assessment: Complete and maintain a written risk assessment that identifies potential threats to customer data. 

✅ Implement and Test Safeguards: Ensure specific controls like encryption and MFA are in place and that you are regularly testing their effectiveness. 

✅ Finalize Your Incident Response Plan: Have a written, actionable plan ready to execute in the event of a data breach. 

✅ Conduct Due Diligence on Service Providers: Before sharing customer data with any third party, including OEMs, ensure a contract is in place that requires them to protect that information. 

Privacy Rule Checklist 

✅ Deliver Initial Privacy Notice: Ensure every finance or lease customer receives a clear privacy notice at the time of the transaction. 

✅ Clarify Opt-Out Rights: Confirm your privacy notice clearly explains the customer's right to prevent their information from being shared with certain third parties. 

✅ Send Annual Notices: If you hold retail installment contracts or are the lessor on a lease, send an updated privacy notice to those customers annually. 

Additional Resources 

• Automobile Dealers and the FTC’s Safeguards Rule: Frequently Asked Questions 
• This new, dealer-specific FAQ from the FTC helps you comply with the amendments to the Safeguards Rule. It covers big-picture questions and provides hypotheticals for situations like managing a combined customer database and sharing data with OEMs. https://www.ftc.gov/business-guidance/resources/automobile-dealers-ftcs-safeguards-rule-frequently-asked-questions 
• FTC Safeguards Rule: What Your Business Needs to Know 
• This guide details the foundational requirements for any business covered by the Safeguards Rule, including developing an information security program, conducting risk assessments, and implementing specific safeguards. It is a critical resource for understanding your obligations. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know 
• FTC's Privacy Rule and Auto Dealers: FAQs 
• This FAQ is specifically tailored to auto dealers and focuses on the requirements of the GLBA Privacy Rule. It covers when and how you must provide privacy notices to your customers and explain their right to opt-out of certain information sharing.  https://www.ftc.gov/system/files/documents/plain-language/bus64-ftcs-privacy-rule-and-auto-dealers-faqs.pdf 
• FTC Safeguards Rule (16 C.F.R. Part 314) 
• The full legal text of the Standards for Safeguarding Customer Information. It is the primary source document that outlines the specific legal requirements for your information security program, including all definitions and required elements. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314    
• GLBA Privacy Rule 
• This link provides the full legal text of the Privacy of Consumer Financial Information Rule. This is the authoritative text detailing your obligations for providing initial and annual privacy notices to customers and explaining their right to opt-out of certain data sharing. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-313  
• Tekion Dealership Resources, KBAs & FAQs 
• For more compliance related and other helpful information please see the following resources:  
• Trust Portal: https://tekion.com/trust-portal  
• Tools, Tips and Information found on Tekion’s Resource page: https://tekion.com/resources  

This guidance is for informational purposes only and does not constitute legal advice; dealerships should consult with qualified legal counsel to ensure compliance with applicable laws and regulations.