By Elisabeth Stonehill, President, NetLib Security

As an auto dealership, you collect a range of personal information about your customers in the normal course of business. This can include confidential consumer data such as credit reports, driver’s license information, social security numbers, employment details, addresses, and credit card information. It’s crucial that auto dealership compliance is taken seriously as 15 million Americans become victims of identity theft every year.

If your dealership offers credit and financing options, you are legally considered a lender and must comply with the Gramm-Leach-Bliley Act (GLBA), including the Privacy Rule and the Safeguards Rule. Even if you are passing the information on to another lending institution, you are still liable for protecting the customer data you’ve collected along the way. To comply with the GLBA Privacy Rule, dealerships must inform customers of the information they are collecting, as well as how their information will be shared. You must also allow your customers to “opt-out” of information sharing wherever possible.

The Gramm-Leach-Bliley Act Safeguards Rule requires car dealers to safeguard this consumer information from unauthorized access, fraud, or misuse. This article will focus specifically on the Safeguards Rule aspect of the GLBA regulations.

Why The New Implementation for Automobile Dealerships?
The Federal Trade Commission (FTC) has created specific criteria for auto dealerships to improve protection and prevent data breaches and cyberattacks. The GLBA Safeguards Rule mandates the implementation of detailed procedures. Why is that?

Most automotive dealerships provide financing options to their customers, which can make the buying experience more seamless and convenient, but also creates areas of concern for security.

In 2021, the FTC revised the Safeguards Rule to require financial institutions to take additional measures to protect and secure customer information. This rule oversees how financial institutions protect consumer data. While these changes took effect back in January 2022, the compliance deadline was extended to June 9th of this year.

That means that starting June 9, 2023, the FTC’s amended Safeguard Rules will require dealerships to develop, implement, and maintain a comprehensive security system to keep the customer information safe and secure.

How does the GLBA Safeguard Rule impact your dealership?
Despite the sensitive nature of customer information that auto dealers collect, many do not have adequate measures in place to protect customer data from theft or misuse. As an automotive executive, you may be aware that in many cases, dealership’s customer files are inadequately secured both physically and digitally. Neglecting to properly protect customer data can lead to substantial fines and penalties from the federal government.

How Your Dealership Can Make Sure It’s Safe
So, how can you ensure that your dealership is adhering to security protocols and best practices in answer to emerging security risks? The FTC identified nine elements that should be incorporated into a security program.

1. Designate a qualified individual who will implement and supervise the data security program
2. Conduct a risk assessment
3. Design & implement safeguards to address identified risks
4. Regularly monitor and test the effectiveness of your safeguards
5. Train your staff
6. Monitor your service providers
7. Keep your information security program up-to-date
8. Create a written incident response plan
9. Require the qualified individual to report to your board of directors

These elements outlined by the FTC provide the framework for your dealership’s security program. If you need additional assistance in creating a security plan that works for you and your company, check out this article Data Security Best Practices For Businesses in 2022 for more information.

Without Encryption, You Are Putting Your Business At Risk!
A big aspect of Data Security is encryption. If you aren’t sure where to start with encryption, NetLib Security’s Beginners Guide to Encryption covers the basics of what you will need to implement this protection in your business. In a broad sense, data encryption provides an additional layer of defense that ensures that even if someone gains unauthorized access to your data, they cannot use it. If you are in the automotive industry and don’t use an encryption system to protect sensitive data, you are putting your business at risk. NetLib Security’s Encryptionizer is a transparent data encryption software solution aimed to protect the data on your system. It makes your vital information unreadable if it is downloaded, copied, or stolen from your company. It will run transparently in the background, does not interfere with business operations and is easy to install, making it the optimal choice for your encryption and data protection needs.

What Happens if Auto Dealerships Do Not Comply?
If automotive dealerships fail to comply with these new regulations, they will face hefty penalties. The cost of non-compliance can reach up to $46,517 per violation for dealerships who do not take the necessary precautions. Additionally, non-compliance can lead to consent decrees with the FTC and increased enforcement. Consent decrees represent a strictly regulated and managed settlement where the FTC periodically examines dealership compliance. If compliance continually fails, it can even result in the imprisonment (in extreme cases) of responsible management members.

Compliance is important for any industry. As a business, it is your responsibility to protect the information of those who entrust it to you. Encryption is an easy way to ensure your client data is secure. With the new regulations and potential high fines for non-compliance, there is no reason not to take it seriously.

Note: This article is offered for general informational purposes only and is not intended to constitute legal advice. Each dealer should seek their own legal counsel and make their own independent business decisions and work with their attorneys to ensure compliance.


Elisabeth Stonehill is the President of NetLib Security Inc, a premier cybersecurity company. With over 25 years of experience in the industry, she is dedicated to providing innovative and secure solutions to protect companies and individuals from cyber threats.

Author: Christine Corkran

Digital Dealer