OFFICIAL PUBLICATION OF THE Illinois Automobile Dealers Association

Pub. 14 2024 Issue 4

Counselor’s Corner: Dealerships Must Ensure Security Solutions Are in Place to Protect Personally Identifiable Information That is Digitally Exchanged

Following this year’s significant cybersecurity incident involving many dealerships’ third-party service provider, security and privacy questions continue to arise relating to various types of information and data. As a reminder, under the Federal Trade Commission (FTC) Safeguards Rule, additional changes1 went into effect last year impacting, among other things, dealerships’ digital communications.

Additionally, along with these changes, the amended Safeguards Rule requires dealerships to have developed and implemented, and maintain a comprehensive security system to keep their customers’ information safe. After extension by the FTC, certain changes went in effect as of June 9, 2023. These provisions required dealerships to:

  • designate a qualified individual to oversee their information security program;
  • develop a written risk assessment;
  • limit and monitor who can access sensitive customer information;
  • encrypt all sensitive information;
  • train security personnel;
  • develop an incident response plan;
  • periodically assess the security practices of service providers; and
  • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

The amended Rule also updated the employee security training requirement. Dealership security awareness training must reflect risks identified in a risk assessment, along with ongoing training for security personnel. This includes verification that security personnel are taking steps to stay current on emerging threats and countermeasures.

While dealerships should by now have their policies in place and implemented, included in the Safeguards Rule changes are standards and procedures for data security which require dealerships, pursuant to their updated security programs, to notify the FTC of security incidents that affect at least 500 customers, and ensure “end-to-end” security encryption of personally identifiable information (PII) sent digitally over external networks. In other words, PII exchanged between dealership personnel and customers must be encrypted in transit. This means that for a dealership to be compliant, use of unsecured, unencrypted text messages and email is not permitted.

One obvious problem, however, is that purchase transactions may routinely be initiated and conducted via email and text messages, including without limitation, communications that flow through the dealerships’ DMS and CRM systems and texting and messaging applications. And some have argued that the shortcomings of some dealership cybersecurity consultants and certain software providers may not be facilitating solutions to satisfy the encryption requirements for in transit exchange.

This becomes particularly problematic when one considers, for example, the volume of personal data on a dealership salesperson’s phone from existing and past customers. This data might be located in a number of places, including without limitation, in the phone’s text history, photo bank, and other repositories, as well as data backed up to a cloud service which might be shared. Each item mentioned would constitute an incident under the FTC Safeguards Rule and a fineable offense, with the maximum fine, per incident, being $50,120. Moreover, the Safeguards Rule broadly covers both past and current dealership employees and past and current dealership customers, with authority granted to the FTC to investigate retroactively. Pursuant to the FTC’s enforcement authority in the course of such an investigation, it may subpoena dealership email, text and phone records, including directly from the dealership’s vendor providers.

Dealers need to ensure their full compliance with the FTC Safeguards Rule. This includes having in place security measures designed to protect customer PII that is exchanged in transit. At a minimum, this requires using secure technology for email, text messages, passwords, logins, accounts, etc. Consultation with the dealership’s cybersecurity advisor or technology consultant and legal advisor is warranted to ensure the dealership is compliant in every respect with the FTC Safeguards Rule.

Julie A. Cardosi is Principal of the private firm, Law Office of Julie A. Cardosi, P.C., of Springfield, Illinois. She has practiced law for over 38 years and represents the business interests of franchised motor vehicle dealers throughout Illinois. Formerly in-house legal counsel for the Illinois Automobile Dealers Association, she concentrates her private practice in the areas of dealership operations and compliance matters, transfers of ownership, mergers and acquisitions, franchise law, commercial real estate transfers, dealership employment and other areas impacting day-to-day dealership operations. She has also served as former Illinois Assistant Attorney General and Deputy Chief of the Consumer Fraud Bureau of the Attorney General’s Office. The material discussed in this article is for general information only and is not intended as legal advice and should not be acted upon as such. Dealers should consult their own private legal counsel for application to their specific circumstances. For more information, Julie can be reached at jcardosi@autocounsel.com, or at (217) 787-9782, ext. 1.

  1. The FTC Safeguards Rule updated the Gramm-Leach-Bliley Act (GLBA) of 1999; and previously, the FTC had amended the Rule in the year 2021 to address current technology and expand guidance for businesses.

Get Social and Share!

Sign Up to Receive this Publication in your inbox