Auto dealerships have another six months to beef up their consumer information security following a Federal Trade Commission Safeguards Rule extension announced Tuesday, Nov. 15.
The last-minute reprieve moves the date for dealerships and other financial institutions to comply with the revamped Safeguards Rule, from Dec. 9, 2022, to June 9, 2023. The Safeguards Rule is part of the Gramm-Leach-Bliley Act regulating business customer information practices.
FTC commissioners voted 4-0 in favor of the extension. On Monday, Nov. 14, FTC Commissioner Christine Wilson issued a separate statement noting that she still opposes the FTC’s 2021 decision to change the rule in the first place.
The agency cited reports — including from the Small Business Administration Office of Advocacy — of a lack of qualified personnel to oversee the changes and businesses having difficulty sourcing necessary technology.
“These difficulties were exacerbated by the COVID-19 pandemic,” the FTC wrote in a news release Tuesday. “These issues may make it difficult for financial institutions, especially small ones, to come into compliance by the deadline.”
The National Automobile Dealers Association, auto lender trade group American Financial Services Association, credit bureau organization Consumer Data Industry Association and collections association ACA International made a similar point in a July letter to the FTC. The associations had requested a year-long extension, to Dec. 9, 2023.
“Our members appreciate the FTC’s work to protect customers’ information,” NADA and
the others wrote. “At the same time, the residual effects of COVID-19 on the labor market and supply chain, as well as dueling regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to uplift their information security programs to meet the requirements in the Final Rule.”
NADA did not respond to a request for comment. AFSA said it appreciates the FTC’s action.
“AFSA member companies provide crucial services in our economy,” AFSA Senior Vice President Celia Winslow said in a statement. “Extending the implementation date of the rule means that companies will be able to make appropriate enhancements to systems and staffing, ultimately benefiting consumers.”
The Small Business Administration Office of Advocacy, an independent SBA entity tasked with advancing the views of small businesses, wrote to the FTC in August asking for an additional year, citing similar points as the trade groups.
The updated Safeguards Rule instituted in 2021 lists nine elements that must be found in a dealership’s cybersecurity program by the compliance deadline.
A business must hire or outsource a “qualified individual” to oversee the program and report to company leadership; assess risks and act to minimize them; have an incident response plan should a breach occur; test or monitor its system; train staff; monitor vendors for information security; and adapt the system to changes at the business or other developments.
Audrey LaForest contributed to this report.