In the early years of the new millennium, the Federal Trade Commission issued regulations implementing provisions of the Gramm Leach Bliley financial reform legislation. In 2000, it issued the Privacy Rule, requiring notification about your policy and practices on consumer data. In 2002, It issued the Safeguards Rule, requiring a policy and processes for protecting the non-public personal information of consumers. After some initial consternation about the burdens of these rules, particularly the Safeguards Rule, dealers implemented policies and processes. Mostly, dealer policies have seemed to work. To bureaucrats, that means something must be done!
The Privacy Rule
In 2010, Congress amended the Gramm Leach Bliley Act and shifted oversight primarily to the Consumer Financial Protection Bureau for financial institutions other than motor vehicle dealers exempt from CFPB jurisdiction. Given that the FTC’s primary jurisdiction for Privacy Rule compliance is now over franchised car dealers, the Commission has issued notice it is contemplating changing the Privacy Rule to implement legislative changes and to reflect the Commission’s specific focus on car dealer compliance. The changes proposed to the Privacy Rule are not a serious subject of concern for dealers. Dealers must be vitally concerned, however, with the proposed changes to the Safeguards Rule.
The Safeguards Rule
In 2016, the FTC solicited comments on the Safeguards Rule as part of its periodic review of regulations. The Commission received numerous comments, and apparently larger institutions, which have implemented expensive precautions against improper online access into their systems because of their size and complexity, argued that the FTC should be sure that smaller businesses have the same expensive burdens inflicted on them.
The FTC has issued a notice of proposed rulemaking to amend the Safeguards Rule. The original Safeguards Rule was promulgated to allow businesses to make their own determinations of the best policies and methods to ensure protection of customer data. In this rulemaking notice, the FTC claims the proposed revision maintains that same flexibility. That may be the case for policies and processes that do not involve online access, but for online capabilities that claim of continued flexibility is nonsense. The proposed rule adds very specific requirements affecting online systems with customer data. Proposed changes could dramatically increase a dealer’s costs for compliance with the FTC Safeguards Rule.
The proposed rule still requires a covered business to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.” However, the rule states that the program must include certain elements, some of which are:
- Designation of one individual for implementing, overseeing, and enforcing your information security program.
- Controls over access to information systems “including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls.”
- Installation of capabilities to “Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.” There is an exception to this if encryption is “infeasible,” but infeasibility is a high burden to meet where dealer DMS providers will be only too happy to provide the capability at an exorbitant cost.
- A requirement to “Implement multi-factor authentication for any individual accessing customer information.” There is an exception from this but only if the information officer in charge has approved a reasonable alternative or “more secure access” control, surely at an additional cost.
- A process to “Include audit trails within the information security program designed to detect and respond to security [e.g. breach] events”
- A requirement to “Implement policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.”
The proposal details the periodic assessments, and the regular reports that must be made to the dealership’s board of directors or equivalent governing body.
While extolling the goal of trying to maintain the flexibility for those subject to the Information Safeguards Rule to comply with it, the proposed revision does anything but that for online systems that store customer data. There are very specific requirements imposed.
Dealers, which for the most part are small businesses, will find the new requirements daunting. Dealers will rely on their DMS vendors to make the changes necessary for compliance, but dealers know better than anyone how expensive these sorts of changes are. In addition, employees must be retrained, the chief information officer will have dramatically increased responsibilities, oversight will be more costly, and ongoing testing and compliance costs will increase. The FTC proposes all of this for small businesses to approximate what large financial institutions have determined they must do because of the complexity of their organizations. But is this costly end to flexibility worth the expense?
Interested parties have 60 days from publication of the proposals to comment on the rule revisions.