With the Federal Trade Commission granting dealerships a six-month reprieve to comply with the updated Safeguards Rule, the larger dealership groups who were scrambling to meet the original Dec. 9 deadline have their smaller brethren to thank for the extension.
The FTC established June 9, 2023 as the new date to comply with the latest Safeguards Rule. Part of the commission’s reasoning is that some financial institutions — including smaller dealerships — might need more time. In a news release announcing its decision, the FTC cited a shortage of qualified personnel to implement information security programs and reports of possible delays in obtaining equipment needed to upgrade security systems because of supply chain issues.
“These difficulties were exacerbated by the COVID-19 pandemic,” the FTC wrote. “These issues may make it difficult for financial institutions, especially small ones, to come into compliance by the deadline.”
The FTC also mentioned a letter from the U.S. Small Business Administration’s Office of Advocacy as a factor in its decision.
The agency first issued its Safeguards Rule in 2003 for financial institutions to protect consumer data. In fall 2021, the FTC amended it to specifically include auto dealerships with more than 5,000 customer records — the vast majority of auto dealerships.
Provisions of the updated Safeguards Rule specifically affected by the 6-month extension:
Bob Harkins, vice president of training for finance-and-insurance provider American Guardian Group of Companies, said dealerships have a lot of work to do to meet the FTC’s compliance requirements. American Guardian services 4,000 dealerships in about 40 states.
Harkins told Automotive News that dealerships are struggling to find qualified individuals and are struggling with writing their plans, their written information security programs and incident-response plans. “That takes some legal or very specialized help, and the penalties are severe,” he said.
The penalty for a Safeguards Rule violation is as much as $46,517, said Harkins.
Mears: It needs to be done.
“Smaller-volume dealerships feel less threatened by a cybersecurity attack, and they think it won’t happen to them,” he said. “Larger megadealer groups are doing a better job because of staffing, and attorneys are part of their teams. The smaller dealer may have an attorney but not specialized with cybersecurity compliance.”
Glenn Mears, owner of Mears Parkway Auto Group in Dover, Ohio, has four rooftops selling Ford, Lincoln, Honda, Nissan, Chrysler, Dodge, Jeep and Ram. He said he is a mid-volume dealer, and that with all the scams extracting money through fraud, compliance needs to be done.
“Dealers have become rather delicious targets for these people that were doing this stuff,” Mears told Automotive News. “We’re lip-smacking good.”
Mears’ wife, Renee Miskimmin, is coordinating the group’s compliance efforts. Miskimmin is Mears Parkway Auto Group’s COO and also a family physician.
“It’s not a small undertaking,” Miskimmin told Automotive News. “Do I believe it’s the right thing to do to protect people’s information? I absolutely do. I’m from the medical profession and we take people’s privacy very seriously; the auto industry is no different.”
However, there are issues, she explained. The FTC has not provided guidance on certain issues within the Safeguards Rule, she said.
“The manufacturers don’t seem to believe they are a vendor with us,” Miskimmin said. When it comes to safeguards for cybersecurity “they don’t feel like they need to be treated like a vendor,” she said. “That’s an issue NADA is still trying to work through.”
Sensitive information is not only in the F&I department, Miskimmin said. Everything from gathering a customer’s name, address and phone number for a car repair order involves sensitive information.
“We know how to sell cars and fix cars; we are not IT professionals, and we don’t spend all our time thinking about how to break into someone’s databases to steal information,” she said. “But the health care industry, banking and credit card industry have been through this. It’s a challenge.”
Many dealerships have sensitive information on paper, she added, while at others, it is all electronic. “How are you storing it, destroying it when the time comes? Some dealerships, it’s half and half, paper and electronic,” Miskimmin said.
Anu Roberts, senior director of product marketing for modern retail and IT solutions for CDK Global, says dealers can take a holistic approach to cybersecurity with these initial steps.
Wes Moats, owner of Mark Moats Ford in Defiance, Ohio, said his store should be ready to meet compliance deadlines in December and June. Work for the extended June deadline is more than halfway done, he said, but the process is pricey and presents a challenge in finding the right person on staff to manage everything involved.
“It’s difficult to find someone that can make it scalable to a smaller dealer price,” Moats told Automotive News. “Whether you’re a large conglomerate dealer or a small dealer, it’s the same price.”
Moats connected with a California-based cybersecurity speaker at a trade association convention he attended in April. He hired the company to help his store achieve compliance with virtual help sessions. Moats appointed his office manager to head the compliance process.
“Once you sign up, they’ll get you compliance,” Moats said of the company.
Still, he takes time to ensure nothing is sitting out on desks in his store.
“It’s very difficult, whether you have a large dealership or a small dealership,” Moats said. “What they’ve written in that law, I feel like I have to hire a whole other person to do that job and [that person] doesn’t make an income doing that. That’s a 100 percent expense, but it’s important we make sure information is confidential.”
The six-month extension gives dealerships more time to wrap their arms around compliance — which is needed. A recent CDK Global survey of dealership executives, IT decision- makers and other staff found just 35 percent said they fully understand the updated FTC Safeguards Rule requirements, while only 47 percent said they are well prepared.
CDK Global’s second annual State of Cybersecurity Report shows 85 percent of dealerships surveyed said threats are very important to them, while almost 60 percent said they plan to upgrade their IT infrastructures this year.
Roberts: Kind of a perfect storm
“Cybersecurity is certainly a complicated landscape, particularly for small to medium businesses,” said Anu Roberts, senior director of product marketing for modern retail and IT solutions at CDK Global.
“Oftentimes they don’t have expertise on staff to really understand everything that goes into cybersecurity. You also have a lot of aging infrastructure, legacy infrastructure that needs to be upgraded. … It’s really kind of a perfect storm of risk.”
The National Automobile Dealers Association estimates the cost for compliance with the Safeguards Rule to be about $250,000 for a dealership, Roberts said, but the cost of a cybersecurity attack can be far greater.
“While you have a substantial cost to an effort to comply, there are a lot of implications, not just financial, but from a consumer level if they don’t protect themselves,” she said. “It’s not really a matter of if but when an attack is going to happen.
“Statistically, attacks are happening at a pretty high rate.”
There has been an uptick in cyberattacks since the pandemic, and hackers are interested in car dealerships.
“The dealership holds really valuable information that the hackers want and that’s sold for a lot of money on the dark web,” Roberts said. “That makes institutions like dealerships, banks and financial organizations prime targets.”
CDK Global works with dealerships to help them comply with FTC regulations and manage daily cybersecurity issues. The company conducts webinars to educate dealers and their staff on the topic.
Dealerships experience an average of 16 days in lost revenue due to cybersecurity issues, Roberts said, adding that the average ransomware payout in the second quarter of this year was $228,125 — up 8 percent from the previous quarter.
While that is costly to dealerships, a bigger loss would be those customers taking their business elsewhere. The CDK report shows 84 percent of consumers said they would not go back to a dealership if it suffered a cyberattack.
“Dealerships spend a lot of effort, time, resources and money driving consumers to their dealership,” Roberts said. “Knowing that 84 percent said they wouldn’t come back to buy from them after a cyberattack is pretty striking.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.
Please enter a valid email address.
Please enter your email address.
Please verify captcha.
Please select at least one newsletter to subscribe.
See more newsletter options at autonews.com/newsletters.
You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.
Sign up and get the best of Automotive News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.
Get 24/7 access to in-depth, authoritative coverage of the auto industry from a global team of reporters and editors covering the news that’s vital to your business.
Our mission
The Automotive News mission is to be the primary source of industry news, data and understanding for the industry’s decision-makers interested in North America.
1155 Gratiot Avenue
Detroit, Michigan
48207-2997
(877) 812-1584
Email us
Automotive News
ISSN 0005-1551 (print)
ISSN 1557-7686 (online)
Fixed Ops Journal
ISSN 2576-1064 (print)
ISSN 2576-1072 (online)