Important NEW Safeguards Rule Obligation Starting May 12, 2024
Dealers Must Report “Notification Events” to the FTC Starting May 12, 2024
The FTC Safeguards Rule contains a new requirement that requires dealers to notify the FTC if certain security events that could affect consumer data occur in dealer systems or third-party systems containing dealer data. NADA has updated its Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), to include details about the new requirements.
PARTNER SPOTLIGHT
F & I/Aftermarket Products, Insurance, Automotive Technology Training & Compliance
A NHADA Diamond PARTNERDealer Management System, Computer Technology, Media/Advertising, Automotive Auction, F & I/Aftermarket Products, Automotive Technology Training & Compliance
A NHADA Platinum PARTNERComputer Technology, Automotive Shop Equipment, Environmental Services
A NHADA Platinum PARTNERF & I/Aftermarket Products, Automotive Technology Training & Compliance, Environmental Services
A NHADA Diamond PARTNERWhat counts as a notification event?
The trigger for filing a report is what is called a “notification event,” which is defined as “[t]he acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This likely applies to data breaches or other security events that compromise unencrypted consumer data, but unfortunately, the exact scope of this definition is somewhat unclear.
If a notification event occurs that affects the unencrypted information of 500 or more consumers, then it must be reported to the FTC as soon as possible and no later than 30 days after it is discovered. Notice to the FTC must be provided electronically through a forthcoming form located on the FTC’s website. Dealers may need to report notification events that occur in dealer-controlled systems as well as those that occur at a vendor if they affect that dealer’s customer data.
This new reporting obligation begins on May 12, 2024. Dealers should review NADA’s previous Safeguards guidance (membership required) and consult the newly updated Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), before the May 12 compliance deadline. Dealers should also work with their IT professionals and counsel to understand and prepare for the new requirements and should update their incident response plans and information security programs accordingly.