Dealers Need Help Complying With Data-Protection Rules

The FTC allows dealerships to retain cybersecurity experts to help dealerships comply with the Safeguards Rule, but those experts are in short supply.

Jim Henry | Feb 01, 2023

DALLAS – The share of dealers who say they’re “very or extremely” ready for the enforcement of a tougher new Safeguards Rule later this year has declined since a year ago, according to research by dealership vendor CDK Global.

But that’s not entirely a bad thing if it means dealers are paying closer attention to the updated Safeguards Rule and assuming dealers are learning how difficult it is to comply, says Anu Roberts, senior director of marketing at CDK Global.

“Dealers absolutely are prioritizing cybersecurity,” Roberts (pictured, below left) says in an interview at the NADA Show here.

Anu Roberts CDK.jpg

The Safeguards Rule is aimed at protecting both private consumer data and the dealership business systems that collect, use and store consumer data. An update was supposed to take effect in December 2022, but the Federal Trade Commission granted a postponement until June 2023.

The FTC says a big reason why it granted the postponement is because there is an acute shortage of highly qualified cybersecurity experts dealerships can hire to help them comply with the new rules.

“Cybersecurity is not a do-it-yourself exercise,” Jonathan Nguyen says in the same interview.

Nguyen is vice president and chief information security officer of strategic services for Fortinet Inc. of Sunnyvale, CA, which is partnering with CDK in offering dealers services related to the Safeguards Rule.

In connection with the Safeguards Rule, CDK Global of Hoffman Estates, IL, offers dealerships training, consulting and services ranging from a little help getting ready for the new rule, to basically running new and improved cybersecurity measures for dealerships, depending on how much the dealership wants to contract out, Roberts says.

Including all its services, not just cybersecurity, CDK serves about 15,000 dealerships, the company says.

Under the new Safeguards Rule, the FTC mandates that each dealership appoint a “qualified individual” on its staff to supervise the dealership’s cybersecurity efforts. But the FTC is vague about what the qualifications are. The agency also allows dealerships to hire an outside firm to help the dealership comply.

In practical terms, that probably means at most dealerships, the required, on-staff “qualified individual” will be the dealership’s point of contact between dealership management and an outside cybersecurity expert.

One of the most difficult aspects of the new Safeguards Rule is a requirement to continuously monitor the dealership’s website and its information technology system, looking for attempts to attack the system, gain access to consumer and dealership business data, or potentially install ransomware.

The original Safeguards Rule took effect in 2003. At the time, the emphasis at the dealership level was on the physical security of paper documents.

For the updated rule, Nguyen says, “The type of cybersecurity the rule demands is out of reach for most dealerships” without outside help.