Amendments to the federal Safeguards Rule will require U.S. auto dealerships to toughen up their information systems security to protect consumer data. 

In late October, the Federal Trade Commission passed amendments to the rule that made five key changes.

1. Adds detailed requirements for the development and implementation of the information security program mandated under the existing rule. The ruling now includes specific requirements for risk assessment, system access controls, authentication and encryption, as well as mechanisms for ensuring effective employee training and oversight of service providers.

2. Requires institutions to appoint a single "qualified individual" to be responsible for the information security program and requires that individual to submit periodic reports to boards of directors or governing bodies to provide senior management with better awareness of their financial institution's data security safeguards.

3. Exempts financial institutions that collect information on fewer than 5,000 consumers from the following requirements: written risk assessments, incident response plan and annual reporting to the board of directors.

4. Expands the definition of "financial institution" to include "finders,” that is companies that bring together buyers and sellers of a product or service — within the scope of the rule.

5. Defines terms and provides related examples in the rule itself rather than incorporating them by reference from a related FTC rule.

The Safeguards Rule took effect in 2003 under the federal Gramm-Leach-Bliley Act, which classifies auto dealers as financial institutions because they offer financing agreements.

Revisions to the rule were approved on a 3-2 vote last month, with Commissioner Rohit Chopra voting in their favor before being sworn in as director of the Consumer Financial Protection Bureau.

The full impact of the rule changes on franchised dealerships remained unclear late last week pending reviews by NADA, compliance experts and dealership leaders.

NADA leaders raised multiple concerns about the proposed changes in public comments before the FTC and shared a cost analysis that indicated U.S. dealerships could face billions of dollars in additional compliance costs if the changes were adopted.

NADA’s 2019 analysis suggested dealerships would spend hundreds of thousands of dollars annually on compliance. In a cost study from 2019 on the FTC's initial proposal, NADA said the expense incurred by U.S. franchised dealerships could range from $220,000 for small dealerships to more than $300,000 for midsize dealerships in upfront costs, plus additional expenses each year after to maintain compliance. The association estimated that U.S. franchised dealerships would spend up to $2.2 billion in startup costs then $2.1 billion in annual costs.