Skip to main content

Data Security and Privacy: What Dealers Need to Know



Debbie Ann Sunga

Dealers today must assess not only their own ability to comply with a complex regulatory and data security landscape, but also that of their vendors and other service providers. Increasingly stringent data security and privacy laws mean that technology providers will play a critical role in meeting these requirements for dealerships.

In the Lifeline Series webinar, Navigating the Current Data Security and Privacy Landscape, Brad Miller, NADA director of Legal and Regulatory Affairs, and Mike Trasatti, CEO of DealerBuilt, highlighted the shifting landscape of privacy requirements for business owners and how all dealers can implement data best practices.

Keeping customer information secure has always been a top priority for dealers, but with both state and federal changes increasing the regulatory burden, they must continue to innovate and stay ahead of tomorrow’s curve to ensure their customers and businesses are protected. Miller and Trasatti emphasized that business owners must continue to implement reasonable technical, physical and procedural safeguards to guard against potential cybersecurity threats and meet the requirements of the FTC Safeguards Rule to secure and protect sensitive consumer data.

In addition, a series of recently proposed changes to the FTC’s Safeguards Rule could present massive new requirements and unreasonable costs for dealers. If approved, the amended rule would require dealerships to adopt specific technological standards, including: encrypting customer information; multi-factor authentication; and hiring a chief information security officer (CISO) to oversee information security and report to its board of directors. These mandates would lead to significant compliance costs—a one-time, up-front cost of $293,975 and an average annual cost of $276,925 for the average dealer.

Miller outlined these proposed changes and NADA’s recent efforts to moderate the FTC’s position. Trasatti provided details of his company’s experience with federal regulators and offered tips for dealers to ensure they are prepared for future challenges. As Miller and Trasatti pointed out, regardless of how the proposed FTC rule ultimately comes out, dealers will need to work more closely than ever with technology vendors and OEM partners. And all parties should be acting now to ensure that their technology vendors can meet the new requirements.

Dealers can tackle this regulatory challenge by implementing new processes and practices; bolstering in-house expertise with personnel who are well-versed in data security; and amending and updating contracts. Above all, dealers must exercise due diligence in selecting the right service providers, ensuring that required contract provisions are in place, and then auditing those providers to ensure compliance with the contractual promises.

Overall, Miller suggested 10 steps that all business owners should take today:

10 Steps Dealers Should Take Today

NADA will continue to advocate for reasonable and flexible regulatory requirements to ensure strong and agile data protections. However, it is clear that data security and privacy requirements are increasing in scope and complexity for dealers. The potential changes to the FTC’s Safeguards Rule reinforce the need for ongoing partnerships among dealers, service providers and NADA so that regulatory requirements are met and consumer data is secured.

Note: NADA’s webinar is offered to assist its dealer members in the operation of their dealerships and for general informational purposes only. Each dealer must seek their own legal counsel and make their own independent business decisions and work with their attorneys to ensure advertising and data security comply with state and federal consumer protection laws. The presentation of this information is not intended to constitute legal advice.

Cookie Icon Update Cookie Preferences