TYSONS, Va. — National Automobile Dealers Association officials are on the record in opposition to proposed revisions to the federal Safeguards Rule. The new guidelines were offered by the Federal Trade Commission as a mechanism to enforce existing data privacy standards as new technologies and applications proliferate. NADA says they would represent an undue financial burden to auto dealers and could derail compliance efforts.
In effect since 2003, the rule affects “financial institutions,” including dealers whose activities include facilitating the financing and leasing of vehicles. It requires business owners to designate a compliance officer, identify risks and design appropriate safeguards, conduct risk assessments on software and oversee service providers, and periodically review their programs.
In addition to adding businesses “engaged in activities … incidental to financial activities” to its scope of enforcement, the government’s proposed changes would include provisions designed to “provide … more guidance” and “improve accountability” related to those efforts.
Writing for the August issue of F&I and Showroom, attorney and compliance expert Jim Ganther said that translates to the hiring or appointment of a chief information security officer.
“Designating an employee isn’t necessarily hard. But actually having a qualified employee already on the payroll may prove to be problematical,” Ganther wrote. “In the alternative, the CISO may be an outside service provider, but a senior manager at the dealership must oversee that service provider and the service provider must run an information security program that satisfies the FTC’s rule.”
The cost of a CISO alone would be “a tall order” for a small dealer, Ganther added.
“According to people in the computer security industry I’ve spoken to, $100,000 to $150,000 is a reasonable range. … The other option is to hire an outside contractor to perform the CISO duties. These people do not come cheap. My sources say one can expect to pay $4,000 to $10,000 per month for such services.”
Officials calculated a total average initial cost of $220,400 and ongoing annual costs of $217,800 for small dealers.
The association made its case in comments submitted to Regulations.gov last month. Officials calculated a total average initial cost of $220,400 and ongoing annual costs of $217,800 for small dealers. For midsize dealers, those costs grow to a projected average of $367,550 initially and $336,050 per year. Both sets of cost would be incurred in the first calendar year.
“Indeed, many financial institutions, like the vast majority of automobile dealers, are small businesses, with limited staffing, resources, and expertise that must be carefully, strategically, and appropriately deployed to meet the reasonableness standard of the rule and adequately protect consumer data,” officials wrote. “Our members range from large, publicly traded dealership groups with thousands of employees to small, single-store dealerships with as few as 10–15 employees.
“Most of our members are small businesses as defined by the Small Business Administration. Nevertheless, our members take great care and make substantial investments in money and time to protect the information they obtain and maintain — not just to comply with the rule, but also because they care about their customers and want to maintain the trust their customers have placed in them,” they added.
“The numbers are staggering, even if we’re off by 10 or 20 percent.”
The FTC’s official comment period was extended several times in response to requests from various entities, including NADA and the National Independent Automobile Dealers Association, and is now closed. There is no set timetable for review or further discussion of the new provisions or their monetary implications.
NADA President Peter Welch described the association’s calculations as “conservative.”
“The numbers are staggering, even if we’re off by 10 or 20 percent,” Welch told Automotive News. “It puts a squeeze particularly on our smaller dealers.”