The Federal Trade Commission announced on October 27, 2021 the final updates to the Safeguards Rule under the Gramm–Leach–Bliley Act (“GLB”). These updates are the result of a multi-year process and purport to strengthen security for consumer financial information following an uptick in data breaches. Overall, the updates are more prescriptive than the previous Rule, imposing specific new requirements. For auto dealers who must comply with the new rules when they are fully effective, it means that action is needed now to protect their companies from costly private lawsuits and enforcement actions for failure to comply with the updates.

Most dealers, as “financial institutions” under the GLB, have been subject to the Safeguards Rule for decades. For many years, the Rule has required that dealers assess the risk to the security and privacy of consumer financial information, implement a plan to secure that data, regularly monitor and update that plan, and designate an individual to be responsible for the plan. The major change in the update is that it imposes new specific criteria financial institutions must meet, where before the requirements were general and subject to flexible interpretation.

Under the new rule, financial institutions must address specific topics in their risk assessments and produce a written report of the assessment. It further requires that each safeguarding plan address particular issues, including access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. It also requires financial institutions to adopt measures to oversee the effectiveness of the safeguarding plan, required employee training, and any services from an external provider.

Another major change is to accountability. For example, while the current Rule allows a financial institution to designate one or more employees to be responsible for the safeguarding program, the updates requires the designation of a single “Qualified Individual,” as defined. The update also requires periodic reports to boards of directors or governing bodies. In short, the update raises the stakes for owners and managers, as it requires direct involvement from senior leadership in safeguarding consumer data.

Finally, the update adopts some relief for smaller financial institutions. The update exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.

The bottom line for dealers is that the updated rule requires action, both upfront and on an ongoing basis. In the event of a data breach or incident, failure to comply with the specific requirements of the update will provide a clear basis for a federal enforcement action and may support costly civil lawsuits, especially in California. The updates will be effective a year from their publication in the Federal Register, which should happen within the next several days.

NADA plans to release detailed compliance guidance in the future. Dealers can also expect that data security vendors will inundate them in the coming weeks and months with sales pitches for compliance solutions. Prior to signing up with any new vendor, every dealer should understand how the update applies to them, what aspects of the update they already comply with, and how the update interacts with state privacy laws. Contact Scali Rasmussen to assess your risk and how to limit potential legal liability.