Security Market Opportunity: Automotive Dealerships

Talk To Your Customers About Compliance with the Gramm Leach Bliley Act

It’s no secret that auto dealerships are subject to compliance with the Gramm Leach Bliley Act (“GLBA”), especially since they frequently handle customer financing matters. However, the Federal Trade Commission (“FTC”) made amendments to the Safeguards Rule in early 2022 that those in the industry need to know. 

The amendments go into effect on December 9, 2022. Information security teams within any organization required to be compliant with GLBA would be wise to quickly get up to speed and ready to implement updated policies and procedures if they haven’t already. Doing so will ensure solid and consistent compliance.

A Brief GLBA Refresher

Enacted in 1999, GLBA was established as a protective measure to update and modernize the financial industry moving into the 21st century. It requires financial institutions, such as banks, mortgage lenders and non-financial companies that provide financial lending services, to provide customers with clear and accurate information-sharing practices. Ultimately, it allows consumers to opt-out of any interaction if they do not want their sensitive personally identifiable information (“PII”) shared.

What is the Safeguards Rule?

The FTC’s GLBA Safeguards Rule (the rule) took effect in 2003 to protect non-public consumer information collected, stored and used by financial institutions for purposes such as lending and financing. It instructs organizations to implement physical, technical and administrative protections to protect against phishing schemes, email spoofing, cyber-attacks and other cybersecurity risks. 

This rule applies to all industries that feature a financial component, such as those that offer in-house lending and financial counseling, which includes automotive dealerships. Essentially, the Safeguards Rule provides automotive consumers with all the information the auto dealership collects about them and how it will be collected, used and stored. 

Considering the heavy reliance on technology and the ongoing risk-laden cyber landscape, the FTC regularly updates this rule for consumer protection. In January of 2022, the FTC released Safeguards Rule amendments requiring financial institutions to review, revise, and reinforce measures to protect and secure consumers’ PII to ensure data privacy.

Why Are the GLBA Safeguards Rule Updates and Compliance Vital to Auto Dealerships?

The financial industry is a primary target of cybercriminals. Consider the number of cyber attacks targeting the banking sector rose by 238 percent in the first half of 2020 alone, according to VMware. Add to that the financial implications of security violations continues to escalate. IBM and the Ponemon Institute reported that the typical cost of a data breach in the financial sector was $5.72 million in 2021. 

Auto dealerships are just as vulnerable to cyber threats as any other industry. Since auto dealerships also offer loans or serve as intermediaries between customers and banks, their customers need to share sensitive PII for background checks and loan approvals. 

Therefore, auto dealers need to remain compliant with the Safeguards Rule for their customers’ protection and their business’s reputation. 

Along with protecting customers’ PII and the auto dealership’s reputation, it’s crucial to ensure GLBA compliance with the Safeguards Rule to avoid stiff penalties for executives and employees, which include a fine of up to $100,000 per violation. The business’s officers and directors might individually incur penalties up to $10,000 and even suffer imprisonment.

What Can Auto Dealerships Do to Ensure Compliance with the Safeguards Rule?

The most important aspect of the rule is that it is not as flexible as it once was regarding data security. It is critical for all involved to understand that the Safeguards Rule mandates that all financial institutions, including auto dealerships, need to satisfy a substantial list of requirements, regardless of their size, systems and data they maintain. 

Following are five tips that you can flag in your conversations with customers and prospects, to demonstrate your expertise on the topic.

1. Assign a designated coordinator

This IT professional will be able to implement and review the system and controls to ensure everything is in place for securing data.

2. Obtain a risk assessment

A detailed risk assessment will help auto dealerships identify and mitigate any risks that would leave them vulnerable to non-compliance and threats to customers’ PII.

3. Develop and implement Logical Controls

Based on the findings in the risk assessment, the auto dealership must have Logical Controls in place to respond appropriately to those findings. The most common Logical Control used in this capacity is a Managed Detection & Response (MDR) service, providing quick and effective multi-signal visibility, threat containment and total response to any cyber attacks on the auto dealership’s behalf.

4. Appropriate controls with the organization’s vendors

Auto dealership clients must work with vendors to work out appropriate contracts, certifications, and future vendor audits, ensuring that they will report any data or systems breach they suffer to the client as soon as they discover issues.

5. Ongoing process for reviewing and updating security controls

Cybersecurity and data threats are not static or predictable, so it’s vital that IT teams stay on top of reviewing and updating security controls internally and when working with outside vendors.

The GLBA Deadline Opportunity

It’s true. The last 18 months have been busy for auto dealers. Worldwide car sales grew to around 66.7 million automobiles in 2021, up from around 63.8 million units in 2020.

Busy auto dealers can easily miss news about important updates and deadlines like those for the GLBA and Safeguards Rule. This critical update can serve as an opportunity for you to inform or remind them about the GLBA deadline. But more importantly, this moment in time affords you the opportunity to also pitch in to help ensure that they have everything covered and are in compliance. 

You don’t have to do it alone. You have access to a number of security suppliers that can help auto dealership leaders by providing cyber risk assessments, a virtual chief information security officer (vCISO), Managed Detection and Response (MDR), incident response, security awareness training for staff, and other services.

Need help? Reach out to our Solutions Engineering Team or contact your BDM.