Founder and Managing Shareholder
The Federal Trade Commission in March of 2019 proposed new changes to its Safeguards Rule, which dictates how a financial institution must protect consumer data. In a recent statement the National Automobile Dealers Association opposed the proposed Rule change, citing a study that indicates that the rule change would impose hundreds of thousands of dollars in additional costs on dealers of all sizes. For California dealers that are facing compliance with the California Consumer Privacy Act, though, the question is whether the proposed change to the Rule would impose changes that differ significantly from CCPA requirements. Our analysis shows that the FTC’s proposed Rule would require changes that are similar to those under the CCPA and that California dealers that take the time to improve their data security to avoid liability under the CCPA will be well positioned to handle changes from the FTC.
The Safeguards Rule is part of the Gramm Leach Bliley Act, enacted in 1999 and providing a framework for regulating the privacy and data security practices of a broad range of financial institutions. Automotive dealers typically fall within the definition of a financial institution because they help consumers purchase vehicles through financing and leasing transactions. Among other things, the GLBA requires financial institutions to implement security safeguards for customer information. This aspect of the law is referred to as the Safeguards Rule.
The current Safeguards Rule requires automobile dealers to develop, implement, and maintain a comprehensive information security program. The program must consist of administrative, technical, and physical safeguards that control how a dealership accesses, collects, distributes, processes, protects, stores, uses, and deletes customer data. The Rule requires that each dealership have a written information security program that is appropriate to the size and complexity of the dealership’s operations and the sensitivity of any customer information the dealership collects, uses and stores. The safeguards in the written program must be reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The proposed changes include five main modifications of the current Rule. First, it adds new and more specific requirements for financial institutions to develop and implement an information security program. Second, it adds provisions to increase the accountability of financial institutions' information security programs. Third, it exempts small businesses from certain requirements. Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Finally, it includes the definition of “financial institution” and related examples in the Rule itself rather than relying on cross-reference to a related FTC rule.
For automotive dealers, the most important proposed changes are those to the information security program and accountability. For the information security program, the proposed Rule would include new specific requirements, where the current Rule remains somewhat vague and based on a dealership’s assessed needs. For example, the proposed Rule would require the following: a) data systems inventory; b) data encryption during storage and transmission; c) multi-factor authentication for access to customer data; secure disposal procedures; and d) unauthorized activity monitoring.
The potential costs get even higher in the area of accountability. The proposed Rule would require dealerships to hire new personnel, constantly update their risk assessments, and train employees on a more regular basis. For example, the proposed Rule would require dealership to a) have a Chief Information Security office on staff; b) develop and update the information security program based on a written risk assessment; c) implement penetration and vulnerability testing; and d) train employees in security awareness.
The NADA estimates that the cost of these additional proposed requirements would be substantial. For dealerships with one location and fewer than 50 employees, it estimates one-time costs of $220,400 per dealership and ongoing annual costs of $217,000. For dealerships operating up to 5 locations and employing more than 50 people, it estimates one-time costs of $367,550 and annual costs of $336,050.
While the estimated costs are daunting, California dealers should know that they are already facing significant costs to comply with the CCPA. This new law, which goes into effect on January 1, 2010, gives consumers new privacy rights over data that companies they interact with collect, store, use and sell. It also creates a new private right of action for consumers when there is a data breach that results in unauthorized access to the consumer’s personal information. Consumers will be able to bring these lawsuits even if they cannot prove they were damaged by the breach and will be eligible for penalties in the range of $2,500 to $7,500 per consumer.
The main defense that companies that experience a data breach will have to CCPA lawsuits, which are likely to be brought as large class actions, is that the company used “reasonable” measures to protect the consumer’s sensitive data. The CCPA does not include specific rules as to what constitutes “reasonable,” and the California Attorney General has not proposed regulations yet that would define the term.
In other contexts, the California Attorney General sites the Center for Internet Security’s 20 controls as a standard to measure reasonable efforts to protect consumer data. The CIS 20 controls are an industry-wide standard that many IT security companies believe offers a strong road map for data security. These controls in many ways overlap with the FTC’s proposed changes to the Safeguards Rule. For example, the controls focus on both security measures such as access limitations, data encryption and data inventory, while also focusing on accountability measures such as employee training, penetration and risk testing, and written security and response plans.
The good news for California dealers, therefore, is that the FTC’s proposed Rule does not require significantly more than what they should already be implementing to avoid liability for data breaches under the CCPA. The average dealer making a good faith effort to improve its data security practices will find that the FTC’s proposed Rule is relatively easy to comply with, even where it differs from its current plan to prepare for the CCPA. That does not recommend complacency in the face of new regulation; the FTC’s proposed Rule would introduce new potential for enforcement from a federal agency. Instead, California dealers should respond to the FTC’s proposal by moving ahead with improving their data security, knowing that whatever happens with the FTC, their efforts will be worthwhile to protect their future from costly liability under the CCPA.