GLBA is Here – Is Your Dealership Ready?

Regulations for data privacy and security is a growing topic across every industry. Those regulations are growing broader and impacting more industries every year, and this year the automotive industry is included. After “recent high-profile data breaches,” the Federal Trade Commission (FTC) amended the Gramm-Leach Bliley Act (GLBA) to include the Safeguards Rule – a mandate that considers automotive dealers as financial institutions and thus requires them to satisfy a list of requirements regardless of their size, systems or the types or scope of data they maintain. In short, GLBA Safeguards Rule places checks and balances on automotive dealers to protect consumers and ensure dealerships are good custodians of their data.  

The Safeguards Rule is different from the Privacy Rule and other regulations previously put into place that address how dealers collected data or how they shared that data. The Safeguards Rule places the burden of risk on dealers to protect that data – even after the data is shared with third party vendors. Automotive dealerships collect data from the first time a customer interacts with a dealer to long after they walk out the door with the keys to a new ride, and dealers often utilize a number of vendors and software tools that share consumer data for a number of uses. Under the Safeguards Rule, the dealership is now responsible for what vendors do – or do not do – with that data.  

 “GLBA’s Safeguard Rule means dealerships are responsible for the chain of custody of consumer data,” said John Acosta, CEO of VTech Dealer I.T. “In the oil industry, this is called cradle-to-grave responsibility. So, a vendor spills a dealer’s oil, the automotive dealer is responsible for that oil spill – or that data breach.” 

 Customers trust dealers with their private data. They’re likely aware that data is shared with third-party vendors but they’re entrusting that data with the dealer not the vendor. The threshold of responsibility begins immediately when the customer hands that data over to the dealer and doesn’t end until that data has been permanently and appropriately discarded. No matter where, when, or how a data breach happens or who the data is with when it happens – the responsibility for that breach stays with the dealer. 

 With GLBA’s Safeguards Rule going into effect June 9, 2023, dealers need to take preparatory steps – planning for the worst and hoping for the best. Here are three steps dealers need to take now to prepare for these regulations: 

  1. Integrate multi-factor authentication (MFA) on all systems including email and communications that include any personally identifiable information (PII). MFA requires users to take additional step(s) to login, ensuring a program they are who they say they are – preventing unapproved access through hacked passwords or other breaches. Anyone that uses online banking or even social media is likely accustomed to MFA in varying degrees.  
  2. Conduct a data privacy risk assessment to understand what holes exist within your infrastructure. This assessment will review what data sets you’re collecting and what risks that places on your data subjects’ (customers, staff, etc.) privacy. It will also include a sensitivity scale based on risk factors and provide a recommendation to mitigate those privacy risks. In some risk assessments, you may be able to reduce your risk by reducing the amount of data you collect without impacting the needs of your business. In other cases, you’ll receive the information you need to make an informed decision on how to protect your customers’ privacy. 
  3. Implement an information security program or outline your plans for information security. An information security program designs and implements security practices to protect IT assets, business processes and, you know it, consumer data. An information security program evolves over time as regulations and risks change.  

In addition to putting these safeguards into place, dealers should also ask their vendors if they are aware of these new regulations and what their plans are to safeguard the data you share with them.