Will your auto dealership be legally compliant by June 9th?
For decades, motor vehicle dealerships have handled consumers’ Personally Identifiable Information wrong. Why? Well, the industry has never been regulated.
Right now, at your dealership, your staff is receiving unsecured texts with Personally Identifiable Information (PII) from consumers. Their driver’s licenses, W2s, paystubs, and more are on your staff’s personal devices, not end-to-end encrypted. And in order to get that data into your CRM or to your F&I officer, they must email it. Again, another non-end-to-end encrypted process.
All of this is a direct violation of the Federal Trade Commission Safeguards Rule starting June 9th, 2023, and can potentially incur a $46K PER-INCIDENT violation.
We’ve recently heard many Cyber Security professionals and “consultants” in the Automotive space state, “It’s not my job to make sure the dealership stays compliant with texting and email. That is on their email or software provider.” These professionals either don’t realize ALL of the requirements of the new FTC rule and its purpose, or maybe they don’t care. So, if no one wants to claim responsibility for this specific requirement of the rule, then whose job is it anyway?
Dealership salespeople are constantly exposing PII, whether they realize it or not, and someone must take ownership. Well, the FTC has spoken. It is the direct responsibility of decision makers to designate someone who can oversee their entire information security program and ensure compliance. That ‘ensure compliance’ part covers all points of the act, including end-to-end encryption.
And if you’re an auto dealer scratching your head, questioning, “How do we secure communication with consumers and my sales staff and not ruin the consumer experience?” you’re not the only one. At Botdoc, we get calls every day from dealerships trying to solve this one specific issue.
Yes, the FTC Safeguards Rule Applies to Auto Dealerships and Motorcycle Dealerships
Though most people associate the FTC with financial institutions like banks and credit unions, FTC rulings extend to non-banking financial institutions, such as auto dealerships. Motor vehicle dealers are specifically called out as being responsible for adhering to the Safeguards Rule lest they feel pressure beneath the hand of the Federal Trade Commission.
It doesn’t matter if you only sell used, sell new, or do/don’t have a financing department. As long as your dealership engages in the sale or purchase of motor vehicles and collects any form of consumer information, you fall into the non-banking financial institution category.
How the Safeguards Rule Affects Dealerships
While many provisions under the Safeguards Rule went into effect last year, the following list includes the updated provisions that will come into effect as of June 9th, 2023. Your dealership should be prepared to comply with each provision:
- Designate an individual to oversee an information security program
- Use multi-factor authentication (or equivalent) for accessing consumer data
- Routinely assess the security practices of third-party service providers
- Develop a written risk assessment
- Develop an incident response action plan
- Limit who can assess sensitive PII
- Monitor who can assess sensitive PII
- Encrypt all sensitive data at rest and in transit
- Properly train data security personnel
The real game changer here is addressing the elephant in the room: How to fix the end-to-end encryption problem between consumers and your sales/F&I staff. IT directors, cyber consultants, and even your CRM/DMS software providers can theoretically pass the torch, saying, “It’s not my job to fix that problem.” But it still begs the question: Whose job is it anyway if no one is addressing this specific issue?
How to Solve the End-to-End Encryption Requirement if Your CISO or Cyber Consultant Won’t Help
Is your car dealership nervous about whether or not it will be compliant with the FTC Safeguards Rule by June 9, 2023? Botdoc helps auto dealerships become compliant (and stay compliant) with Federal Trade Commission data privacy rules and regulations. Specifically, Botdoc solves the end-to-end encryption requirement between consumers and your dealership.
Dealerships can receive consumers’ PII, such as driver’s licenses and bank account or credit information, in one protected platform without needing pins, passwords, or logins. By safely handling sensitive data with Botdoc, you’re adhering to federal regulations and safeguarding against potential data breaches while making the process simple and EASY for consumers and your dealership staff. That makes a win-win for everyone.
Provide a better consumer experience and create frictionless file transfer between everyone in your dealership, today. Let’s talk about making it happen.