If an agent cannot fulfill the new requirements, the FTC has an answer: fire that agent and find one that can. - IMAGE: Flickr

If an agent cannot fulfill the new requirements, the FTC has an answer: fire that agent and find one that can.  

IMAGE: Flickr

On January 10, 2022, two significant things happened: Georgia beat Alabama 33 – 18 to win its first football National Championship since some guy named Herschel Walker helped the Dawgs defeat Notre Dame in the 1980 Sugar Bowl, and the revised Safeguards Rule went into effect.  I bet you paid attention to one of those events.

Long term, the event you should be paying attention to is the revised Safeguards Rule.  

The revised Safeguards Rule built upon the original article that went into effect in 2003.  Whereas the original Rule was certainly flexible, it could also be seen as subjective and difficult to enforce (though that did not prevent some very high-profile – and expensive – actions against dealers and their service providers).

The biggest change the revised Rule brings is that any flexibility and subjectivity are gone.  The enhanced requirements are inflexible and objective.  And while those requirements could certainly fit within the borders of the 2003 version, they are now mandatory.  You either do them or you don’t, and the penalties for not doing them are potentially severe.

Here is a brief list of the new Safeguards obligations:

  1. Designation of a “Qualified Individual” to oversee the program.
  2. Requirement of a written risk assessment.
  3. Access controls.
  4. Data/systems inventory.
  5. Data encryption.
  6. Secure development practices.
  7. Multi-factor authentication.
  8. Systems monitoring and logging.
  9. Secure data disposal procedures.
  10. Change management procedures.
  11. Unauthorized activity monitoring.
  12. Intrusion detection/vulnerability testing.
  13. Enhanced training for general employees and information security personnel; verifiable process of keeping information security personnel current on emerging threats.
  14. Selecting, overseeing and monitoring Service Providers.
  15. Written incident response plan.
  16. Annual written report to Board or Senior Management.

Unpacking all of those topics in useful detail will require a series of articles, which you may expect in this space over the coming months.  It is enough for today to recognize that these new obligations are complex to understand and expensive to implement.

How expensive?  The National Automobile Dealers Association commissioned an independent IT firm to investigate the likely cost impact.  Their conclusion was that an average dealership could expect to spend over $266,000 in one-time up-front costs to comply, and $225,000 per year to maintain their Safeguards program. Actual mileage will vary, of course, but there is no way to do this on the cheap.  It will be expensive and there is no easy way around that unhappy fact.

Agents can expect to be asked by their dealership clients where to turn for the necessary solutions.  Agents, though generally not cyber security experts, will need to have answers that connect their clients to the appropriate resources.

The effective date of the revised Rule was January 10, 2022, but you were more concerned about the Georgia-Alabama game.  The portions of the revised Rule that went into effect on that date, however, are largely the requirements understood to be in the original Rule.  In other words, dealers are expected to be following those already.

The more onerous requirements, listed above, don’t become effective until December 9, 2022.  That allows some lead-time, but December will be here before we know it.

That brief overview of the revised Safeguards Rule may sound like all an agent needs to know or worry about at this point.  It’s not.  As the title of this article suggests, the Safeguards Rule could kill your agency.  How?

The enhanced requirements of the Safeguards Rule don’t just apply to financial institutions (including dealers), they apply equally to service providers.  What is a service provider?  Any person or entity that has access to customer data as a result of providing services to the dealer.  F&I agents, in other words.

Agents will need to demonstrate and document that they meet the Rule’s requirements.  Dealers will be required to bind F&I agents by written contract to do so.  And if an agent does not or cannot fulfill those requirements?  The FTC has an answer: fire that agent and find one that can.  Under the new Rule, the agent’s violation is the dealer’s violation.  Dealers will respond accordingly.

And that’s how the Safeguards Rule could kill your agency.

Next time: How to survive the Safeguards Rule.

About the author
Jim Ganther

Jim Ganther


Jim Ganther is president of Mosaic Compliance Services. He is an attorney and a member of the National Association of Dealer Counsel.

View Bio