The Safeguards Rule, originally released in 2003 under the authority of the Federal Gramm-Leach-Bliley Act, was amended in October 2021 by the Federal Trade Commission.  Unlike the prior version of the rule, the amended rule provides detailed requirements for keeping dealership customer data secure, including limiting employee access to customer information and the appointment of a specific “qualified individual” tasked with managing the dealership’s information security program.

Additionally, the updated rule requires the following:

  • Encryption of all data in transit over external networks and “at rest” at the dealership’s servers
  • Multi-factor authentication (i.e., text verification codes) for users accessing the non-public personal information (NPI) of customers
  • Continuous monitoring and logging of authorized and unauthorized users accessing systems that are storing or managing NPI
  • Performance of annual “penetration tests” and bi-annual vulnerability tests
  • A written “incident response plan” for when a data breach occurs
  • Security awareness training for all employees
  • Periodic assessment of technical and physical safeguards of IT service providers
  • Data retention policy requiring disposal of customer information within two years after the end of a customer’s relationship, unless otherwise required for a legitimate business purpose
  • Performance of periodic written risk assessments related to potential data breaches
  • Submission of periodic written reports to ownership or senior officers on the dealership’s information security program

While the costs of compliance with these requirements is still to be determined and may vary by dealership, it is important that dealers reach out as soon as possible to their DMS and IT services providers to understand whether their existing systems can provide for compliance with the updated Safeguards Rule and what additional costs there may be to meet any compliance gaps.  The good news is that some requirements under the updated rule are already standard features in many corporate information systems, including multi-factor authentication and encryption of in-transit and at-rest data.

It is important to note that the final rule’s requirement of a “qualified individual” to manage a dealership’s information security program was an accommodation made by the FTC, which had originally required a “Chief Information Security Officer” (CISO) in its proposed rule to manage such program for a company covered under the rule.  To avoid the additional compensation associated with hiring a CISO, the FTC scaled back this requirement by allowing “qualified individuals” under job titles that may not require the salary of a CISO.

You should check your service agreements with your DMS providers to ensure that your providers are contractually required to provide all of the measures sufficient to ensure that you will be in compliance with the updated Safeguards Rule.

We expect that more information on this evolving topic will be released by the FTC.  In the meantime, feel free to reach out to us with any questions.


Read any trade publication or talk with any franchised dealer and one of the biggest concerns on everyone’s mind is the lack of new inventory available on dealer lots for sale to customers.  This is not an issue that is limited to just one brand or one section of the country.  Every factory and dealer around the country is facing the same challenge with limited new vehicle inventory.  Because of this situation, it is important that you stay aware of the state laws protecting them from unfair inventory allocation practices by your OEMs.

For instance, in New York, the Franchised Motor Vehicle Dealer Act (the “Act”) requires manufacturers to not “utilize a discriminatory, unreasonable, arbitrary or unfair system of allocation of new motor vehicle inventory.”  Under Section 463(2) of the Act “A franchisor shall communicate its system of allocation in writing in a clear and concise manner to all same line-make dealers located in this state.” Several other states, including New Jersey, Connecticut, Ohio and Illinois, have similar statutes that prevent OEMs from unfair vehicle allocations among their same-line dealers.

Given the challenges that chip shortages have placed upon managing the timing and quantities of the inventory coming off their production lines, OEMs have struggled to allocate new vehicle inventory fairly among all of their dealers.  For several OEMs, however, inventory allocation struggles started well before those caused by COVID-related chip shortages.  I have worked with multiple dealerships who have had to compete with nearby same-line dealerships that have acquired more than their fair share of inventory, particularly those fast-selling models that are in demand.  Regardless of whether it was out of a desire to play favorites or some less nefarious reason, inequitable allocations between same-line dealers are not allowable by law in several states.

These issues are not just a minor inconvenience — for many of these dealerships, getting sufficient allocation of vehicles can mean making their franchise sales targets or not from month to month.  Taking OEMs to court for such statutory violations may not be the most practical response to such a situation.  However, at the very least, you can mitigate the risk of OEMs declaring a default from not meeting your dealership’s sales targets by respectfully reminding OEMs in writing of (1) their continuing obligations under state law to provide an equitable means of distributing manufactured vehicles that does not inadvertently benefit certain dealerships at the expense of yours, and (2) the critical role that available inventory plays in hitting OEM sales targets (as we have heard from several dealers this year, “You can’t sell what you don’t have”).  While some customers have adapted to buying vehicles on back order, by no means does such group comprise the majority of dealership customers.  The availability of inventory at a dealership continues to play a significant factor in explaining the difference in new vehicle sales between competing, same-line dealers in a given state or region.

For questions and additional information on our automotive dealership practice, please contact me by phone at 631-777-2401 ext. 32 or via email at ket@selawny.com.