Banking has been regulated for cyber security for more than 20 years. Healthcare has been regulated since HIPAA came out in the 90s. Automotive just got regulated under the FTC Safeguards Rule a couple of years ago.
The hardest part of catching up isn't the technology. It's the culture.
Our CEO Karl Falk made this argument in a Ford Direct interview at the 2026 NADA Show. The full clip is above.
Why automotive is behind on the curve
Auto retail grew up digital. Texting customers. Emailing documents. DMing pricing. Sharing driver's license photos over SMS. For two decades, every workflow in the dealership was built around speed and convenience, with no security gate in the middle.
That habit set works fine when the regulator isn't paying attention. The FTC was not paying attention to auto retail through most of those two decades. The CFPB was watching mortgage. HHS-OCR was watching healthcare. The federal financial regulators were watching banks. Auto got to operate without the regulatory whip.
Then the FTC Safeguards Rule hit. And every workflow built around convenience became a compliance gap.
The hurdle is cultural, not technical
The tools to fix this exist. Encrypted document transport, identity verification, audit logging, controlled mail relay — all available. None of them are exotic. Banks have used them for years.
What does not exist in most dealerships is the cultural infrastructure to enforce them. Sales staff trained for ten years to text customers do not stop overnight because IT pushed a new policy. F&I managers running 200 deals a month do not pause to verify a new workflow when the old one closed deals last week. Service writers do not change how they collect driver's license photos because a memo went out.
The technology change takes two weeks. The cultural change takes two years.
That is the gap auto retail is now standing inside.
What the FTC actually said
The most common reaction to FTC Safeguards in the dealer world is "the regulators are out to get us." That reading misses what the FTC actually said.
The US government realized it can no longer protect the American consumer from cyber attacks and identity theft by itself. The attack volume is too high, the attacker tooling is too cheap, and the federal capacity is too limited. So the government did the only thing left to do: push the responsibility for protecting consumer data onto the industries that hold it.
That is not compliance for compliance's sake. It is the regulator acknowledging that the federal cyber posture cannot scale and that institutions holding customer data have to share the load. The Safeguards Rule is the legal mechanism for that handoff.
Dealerships are now load-bearing in the consumer-protection stack whether they signed up for the job or not.
The proof is in the last 24 months
If you want to know whether the FTC's read on the threat environment is correct, look at what has hit auto retail in the last 24 months. CDK Global ransomware. Reynolds and Reynolds outages. Dealertrack interruptions. Multi-rooftop dealer groups taken offline for weeks. Stolen customer data showing up on credit-monitoring alerts months after the breach.
That is the tell. The regulators did not invent the threat. They responded to it.
The dealers who are getting ahead of the cultural shift now are the ones who will look smart at the next breach event. The dealers who are still waiting for someone else to make this their problem will write the checks.
What dealerships actually need to change
This is not a checklist. It is a leadership posture.
- Leadership has to own it. If the GM is not asking the F&I and service desk each week "what changed in how we handle customer data," nothing changes.
- Process before tools. Map the workflow. Where does customer information enter, sit, and leave the dealership? Most dealers cannot draw this diagram. Until they can, no tool will close the gaps.
- One person accountable. Not a committee. One name on the org chart who owns whether the dealership followed its own process this week.
- Then layer the tools. Secure transport for the documents and ID. Authentication on the channels customer data rides. Audit logs that prove TLS negotiation, not just policy. SDT Engine capabilities are designed for this exact problem.
The cross-industry pattern, one more time
This is the same playbook that played out in mortgage in 2015 and in healthcare through the 2010s. The industries that closed the cultural gap early stopped fighting the framework and started building around it. The industries that waited paid the fines and absorbed the breach costs.
Auto retail is on that curve now. The dealers picking up the cultural change early — encrypted transport, controlled channels, audited workflows, leadership accountability — are the ones who will be operating cleanly when the next examiner asks the next question. The dealers waiting will be the ones explaining what went wrong.
The technology was never the hard part.
Related reading:
- Our previous post on the front-door / back-door fraud frame: The Back Door Auto News Just Named
- For audit firms and FFIEC examiners reading the same patterns: /for-auditors/
- Partner page for the FordDirect + Botdoc collaboration
- Short-form highlight reel of the interview from @theshopfordealers