Automotive, Motorcycle, RV and Power Sport dealerships are having to make changes due to the new FTC safeguards rule that goes into effect 9 June 2023. One item that most dealerships are not prepared for is the end-to-end encryption requirement for everything in transit over external networks (16 CFR 314.4(c)(3)). That means every item of Personally identifiable Information (PII) that is sent digitally between the consumer and the dealership’s staff must be encrypted in transit. This means that sales staff can no longer use text or email if they want to be FTC compliant. Unfortunately for dealerships, text and email are industry standard tools today. This includes the texts and emails in and out of the CRMs and software providers as well. This is probably the biggest issue that the industry has not grasped or is not talking about.
Paragraph 16 CFR 314.4(c)(2) of the regulation also identifies that a dealership must “identify and manage” all data and devices that are used as part of their business. This does NOT mean managing physical phones, but rather the tools (apps, software) that are used, regardless of the device. Unfortunately, a dealership cannot identify or manage the data sent over text, photos, phone files or even messaging apps like WhatsApp or Signal. All of the above are not FTC compliant, especially when combining the requirements in paragraphs 314.4C2/C3.
To understand why things are changing one must understand the overall cybersecurity environment and why doing business the same way will be detrimental to dealerships after 9 June 2023. To learn more, please visit securemydealership.com
The primary reason the FTC is changing the rules is the fact that cybercrime is getting significantly worse every day. There are a lot of statistics on the impact of cybercrime, but the only one that is important to know is that cybercrime is now more profitable than all the illegal drug trade combined globally. That is a large number, and one can start to understand why cybercrime has become an epidemic.
The real reason dealerships need to pay attention, and the only number that needs to be understood is $50,125. This is the maximum fine per incident that the FTC can fine a dealership. That is per incident. Dealership management needs to think about how many items of PII their staff have on their phones. This is all of their staff, current and past (starting 9 June 2023), that pertain to, current AND past consumers (staring 9 June 2023); driver’s licenses, insurance cards, W-2’s, pay stubs, DD 214s, and anything that has a customer’s name along with additional information about them (PII). If you ask “how many”, the average salesperson’s response will be “hundreds” and others “thousands”, regarding the number of images on their phones, photos, text history, and email. Not to mention most users back their photos up with apps shared with their families.
Take “hundreds” or “thousands” and multiply that by the entire dealership’s sales staff, then multiply that by $50,120. Each of those items could be individual incidents starting 9 June 2023. That is a lot of money and no dealership owner wants or should have to pay fines like this to the FTC.
To boil down what the FTC is changing: dealerships now must act like a bank regarding digital security. There are 16 primary points to the new safeguards act.
- Appoint a “qualified individual” for accountability
- Written Risk Assessment
- Data and Systems Inventory
- Encrypt Data at rest and in Transit
- Adopt Secure Development Practices
- Multi-Factor Authentication (system access)
- Audit trails (system access and data access)
- Develop secure disposal Procedures
- Change management procedures
- Unauthorized Activity Monitoring
- Penetration Testing and Vulnerability Assessments
- Employee Training and security Updates
- Periodic Assessment of Service Providers
- Incident Response plan
- Written Chief Info Security Officer (CISO) Report
- Implementation of Access Controls
Dealerships’ IT and security teams (qualified individual/fractional CISO) should be working on all 16 items to ensure no one gets fined.
But there is one item the “qualified individual” cannot do by themselves or in isolation. This one item will require every person at the dealership to do something different daily. That is the second part of #4 above, “in transit.” How the dealership collects and sends info with a customer will need to change, and this is a cultural change based on how business has been conducted for decades. This means every piece of consumer PII must be secured and encrypted in transit between the consumer/ buyer and the dealership, even over “external networks.” That is the only item a security team cannot do on their own and will require help from every dealership employee to be compliant.
This pertains to anything related to a test drive and qualifying on the financing side, PII.
Many believe that if their email is advertised as secure (like Outlook, Gmail, Yahoo etc.) that it is ok to send and receive information because the email is “secure” and uses technology like TLS and SSL. This may be true if dealership emails are never sent/received from non-dealership emails. If you are sending and receiving PII to/from a customer via email, this position is false. The data in transit between two different emails is not secure. Once the email leaves those secure email environments, it travels unencrypted and unsecured over the internet before it is received by the other “secure” email environments. This is how texting works as well. This also includes emails and texts that travel in and out of CRMs and other software providers. All of this traffic can be read, compromised, and even manipulated in transit. This is not FTC compliant and will be a finable offense after 9 June 2023.
For the dealerships that understand this issue, they can and should put something in place immediately. Those that are not aware of this issue will not be in compliance come 9 June. The FTC can and will investigate text/email records, dating back to 9 June 2023, at any point in the future.
And why this one half of one bullet point out of 16 items so important?
This end-to-end encryption in transit issue over external networks is the biggest issue surrounding the new FTC safeguards rule for dealerships because it’s a cultural change, a culture of texting and emailing that has been in place for decades and is not easy to change.
This specific issue is likely to be the first place the FTC will look when investigating dealerships. Why? Because the FTC investigates where there are complaints, and consumers are the #1 source of FTC complaints. There is only one item on the list of 16 above that is consumer facing, that is “in transit”. The other 15.5 items listed above are not things the consumer would know or have knowledge of.
In other industries that have been regulated for a long time (banking, lending, insurance, healthcare etc.), the FTC can and will subpoenas cell phone, text, and email records (even if they are personal) when they investigate, because it is easy to do and the place where many regulated companies fail in other industries.
Botdoc is a NADA affinity partner, serving large and SMB sized companies within all regulated industries, solving in transit encryption issues with software that is easy to implement and easy to use.