FTC Issues Key Safeguards Rule FAQs for Auto Dealers

1 - Reiterating the Core Requirements for Dealers

a. The Safeguards Rule Applies to Dealers
Dealerships are generally considered financial institutions under the GLBA and must comply with the Safeguards Rule, which requires a combination of administrative, technical, and physical safeguards to protect customer data containing “Nonpublic Personal Information” (NPI).  The required safeguards include a number of steps such as encryption of customer data, multi-factor authentication, continuous systems monitoring/regular penetration testing, and employee training. As outlined below, compliance with the Rule also requires dealers to monitor and enter into contracts with service providers (including, in some cases, OEMs).

b. NPI Is the Focus
The Safeguards Rule focuses on data known as NPI, obtained from your “customers.” This is generally personally identifiable information obtained in connection with a finance or lease transaction, such as names, Social Security numbers (SSN), income, and credit history. 

c. Customer Lists and Service Department Records
As noted by the FTC in previous guidance, dealer lists containing information such as names and addresses—by themselves—are likely not to be considered NPI, as long as such lists do not in any way identify any customer as a finance or lease customer.¹ If a list does include such “finance or lease identifiers” it would be NPI protected by the Safeguards Rule. (Note that this generally does not apply to service or parts customer records). Therefore, a list containing, for example, names and addresses of all vehicle buyers in a given month would NOT be NPI, even if pulled from a commingled database, as long as it doesn’t reveal whether those individuals obtained financing or include other sensitive personal information (like SSNs or income). However, the database itself is considered NPI if it includes any such information. That means a dealer may be able to send a retail delivery (RDR) or similar report to an OEM without triggering the obligation to monitor the recipient OEM. However, if a dealer provides access to the entire database, or if the RDR includes any finance or lease identifiers, then it is NPI and the monitoring (and other Safeguards Rule) obligations are triggered.  As a practical matter, this can be difficult or impossible to monitor and maintain for dealers given the commingled nature of dealer databases and systems, and the scope of information generally provided to OEMs/OEM demands for access to dealer systems. 

2 - Clarifications About Service Providers, Including OEMs
A significant focus of the FAQs is on service providers—including how and when dealerships must monitor them.

a. Dealers Must Monitor Their Service Providers
Under the Safeguards Rule, a “service provider” is a third party that is permitted access to NPI (or systems containing NPI) because they are providing some sort of services to the dealer. Dealers are not permitted to share NPI at all with third parties who are not service providers, unless some other legal exception applies.² If a dealer provides access to customer information containing NPI to a service provider (including an OEM), the dealership must also take steps to:

• Conduct due diligence before engagement;
• Contractually require them generally to protect NPI and limit its use, and;
• Periodically monitor service provider data security practices.
  

b. OEMs Can Qualify as Service Providers
OEMs that provide services to dealers that include access to NPI are service providers under the Safeguards Rule—triggering these monitoring and contractual requirements. For example, an OEM, pursuant to a data sharing agreement with the dealer, that is using dealer data to engage in marketing on behalf of the dealer would be acting as a service provider for the dealer.

c. Some OEMs May Fall Outside the Safeguards Rule
There may be limited situations where NPI may be shared with an OEM that does not qualify as a service provider under the Safeguards Rule. But, even then, the Privacy Rule still applies. In these situations, dealers must ensure that any data sharing complies with a valid exception under the Privacy Rule. In addition, the recipient OEM is subject to regulatory limitations on reuse or redisclosure of that NPI (they cannot use it for marketing purposes, for example.)

d. Not Every Vendor Must Meet 100% of the Rule’s Requirements
The FAQs also note that not every service provider must contractually agree to comply with every technical requirement under the Safeguards Rule. Instead, the Rule technically is flexible enough to permit the dealer to determine that certain service providers may comply with only some of the required data security practices or procedures if the information shared with that service provider is of a less critical nature.  Again, while this may be true in theory, almost all dealer data is of a critical nature, and it can be difficult to impossible for a dealer to make such individualized determinations without much more information regarding a particular service provider and the exact data processes they have in place. 

The BOTTOM LINE for Dealers

In accordance with these FAQs—the best approach for dealers is to ensure they are complying with all service provider monitoring and other obligations under the Safeguards Rule any time they: (a) provide access to any database that contains NPI, (b) share any customer list (or individual customer data) that contains finance or lease identifiers, or (c) share any other data that contains information such as SSNs or other information from a credit application with a third party.  This includes vetting, monitoring, and entering compliant agreements with ANY such third party whether it is a commercial vendor or an OEM providing a service to the dealer.

ComplyAuto Has You Covered
These FAQs demonstrate the FTC’s continued focus on dealer compliance with the Safeguards Rule—and the importance of understanding your vendor relationships, especially with OEMs. If you’re unsure whether your current practices meet the Safeguards or Privacy Rule requirements, ComplyAuto is here to help. Our platform takes steps to ensure your dealership stays compliant, including managing third party vendors acting as service providers on your behalf. We categorize vendors on your behalf, and ensure that compliant contractual amendments are entered, and appropriate risk assessments are completed for all your vendors.  If you have any questions, or need to know more about whether you are compliant in light of these recent FAQs—contact ComplyAuto today.   

¹Including any monthly payment amount, APR, credit information, or any other indicia of a lease or finance. ²This is beyond the scope of this memo, but the FAQs discuss the related GLBA Privacy Rule, which governs sharing of NPI and other data with third parties. There are restrictions on sharing NPI (and restrictions on the reuse and redisclosure of data by those third parties) that could require notice and opt-out opportunities.

Author: Marc Sanborn, Senior Product and Regulatory Specialist, ComplyAuto
The original article is available here.