NADA: Important NEW FTC Safeguards Rule obligation - Dealers must report “Notification Events”

Adapted from the GCADA Newsletter

What’s new: The FTC Safeguards Rule contains a new requirement that requires dealers to notify the FTC if certain security events that could affect consumer data occur in dealer systems or third-party systems containing dealer data. NADA has updated its Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), to include details about the new requirements.

Why does it matter?: Last fall, the FTC announced a final rule amending its Safeguards Rule that will require non-banking financial institutions, such as dealers, to report certain data breaches and other security events, which they refer to as “notification events.” This means that dealers and others will be required to notify the FTC, which will post the reports on a publicly available website.

What counts as a notification event: The trigger for filing a report is a “notification event,” which is defined as “[t] he acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This likely applies to data breaches or other security events that compromise unencrypted consumer data, but unfortunately, the exact scope of this definition is somewhat unclear.

When is it triggered: If a notification event occurs that affects the unencrypted information of 500 or more consumers, then it must be reported to the FTC as soon as possible and no later than 30 days after discovered. Notice to the FTC must be provided electronically through a forthcoming form located on the FTC’s website. Dealers may need to report notification events that occur in dealer-controlled systems as well as those that occur at a vendor if it affect that dealer’s customer data.

What’s next: This new reporting obligation went into effect on May 12, 2024. Dealers should review NADA’s previous Safeguards guidance and consult the newly updated Driven Guide, A Dealer Guide to the FTC Safeguards Rule (L43), as the May 12 compliance deadline. Dealers should also work with their IT professionals and counsel to understand and prepare for the new requirements and should update their incident response plans and information security programs accordingly.