The FTC issued yesterday its long-awaited, final amendments to the FTC Safeguards Rule (“Rule”). The Rule – adopted by a 3-2 vote along party lines – contains a significant number of new and expanded procedural, technical, and personnel requirements that financial institutions, including dealers, must satisfy to meet their information security obligations.

The new requirements include:

(a) developing and implementing specific components of an information security program, such as access controls, authentication, and encryption; and

(b) requiring actions related to the program’s accountability, such as hiring or retaining “qualified” personnel and conducting periodic reports to the financial institution’s governing body.

Since the amendments were proposed, Regulatory Affairs presented to the FTC two sets of extensive written comments that challenged the need and practicality of many of proposed amendments and urged the FTC to conduct a cost-benefit analysis on each of them. NADA’s comments included an independent, third-party cost study.

Although the FTC made significant changes and provided important clarifications to the proposed amended rule in response to NADA’s input, many of the amendments will require dealers to adopt new information security measures. While several of the new obligations may already be in place at many dealerships, others vastly expand what most dealers have developed and will require additional investments in software, technology, and potentially dealership personnel. The challenges involved in the satisfying the new obligations could also increase dealers’ liability exposure.

Dealers, as well as their relevant technology vendors, must comply with the new requirements of the Rule within one year of its upcoming publication in the Federal Register. Several of the new requirements do not apply to financial institutions that maintain customer information on fewer than 5,000 consumers.

Regulatory Affairs will develop compliance guidance for NADA members. Dealers are encouraged to reach out to their technology vendors as soon as feasible to ensure they are taking the necessary steps to comply with the new requirements.

Jeff Weber
Chairman, Regulatory Affairs Committee