Dealers Must Report “Notification Events” to the FTC Starting May 12, 2024
The FTC Safeguards Rule contains a new requirement that requires dealers to notify the FTC if certain security events that could affect consumer data occur in dealer systems or third-party systems containing dealer data. NADA has updated its Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), to include details about the new requirements.
On October 27, 2023, the FTC announced a final rule amending its Safeguards Rule that will require non-banking financial institutions, such as dealers, to report certain data breaches and other security events, which they refer to as “notification events.” This means that dealers and others will be required to notify the FTC, which will post the reports on a publicly available website.
What counts as a notification event?
The trigger for filing a report is what is called a “notification event,” which is defined as “[t]he acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This likely applies to data breaches or other security events that compromise unencrypted consumer data, but unfortunately, the exact scope of this definition is somewhat unclear.
If a notification event occurs that affects the unencrypted information of 500 or more consumers, then it must be reported to the FTC as soon as possible and no later than 30 days after it is discovered. Notice to the FTC must be provided electronically through a forthcoming form located on the FTC’s website. Dealers may need to report notification events that occur in dealer-controlled systems as well as those that occur at a vendor if they affect that dealer’s customer data.
This new reporting obligation begins on May 12, 2024. Dealers should review NADA’s previous Safeguards guidance (membership required) and consult the newly updated Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), before the May 12 compliance deadline. Dealers should also work with their IT professionals and counsel to understand and prepare for the new requirements and should update their incident response plans and information security programs accordingly.