Six (6) Perspectives On The New GLB Safeguard Regulations

The new Gramm Leach Bliley Act (GLBA) regulations aren’t going away and become effective on December 9, 2022. You don’t have to agree, but you do have to comply. If you haven’t started already, it’s time to begin the work of parsing out how you will respond.

I’ve asked various industry experts to chime in on how you should focus your efforts.

Here’s what they had to say:

Atul Patel

CEO, Orbee 

“Occasionally you get a nudge to rethink what you’re doing. While it might feel like it’s more an elbow to the ribs, the FTC Safeguard Rule that is part of the Gramm-Leach-Bliley bill is forcing auto dealerships to take their customer’s data security seriously. We find this to be the biggest opportunity for dealerships to take back control over your data that is created on your properties, from your media investments, by your customers. When your shoppers give you their Personal Indentifiable Information (PII), they believe it was to you. But what is more likely is that it was to a third-party such as a trade-in tool, credit form, chat, and so on. We restructure the way data is created, stored, and activated. This offers the clearest path to Safeguard Rule compliance while benefiting your customer experience.”

Jim Lawrence 

COO, Sensitive Data Protect, LLC

“There are 5 steps dealers should take to establish a good-faith compliance effort to address general cybersecurity, the FTC's Safeguard Rules, the ongoing battle against "phishing," and ransomware attack prevention: 

1. Perform cybersecurity testing to find gaps in consumer facing IT infrastructure and behind your firewall. 
2. Establish the policies and procedures and trainings to address the gaps and evaluate the investment options for ongoing IT security preventative measures.
3. Make sure to review the difference between a "bundled" approach to cybersecurity versus a piecemeal, single-point solution.   
4. Partner with an experienced automotive service provider who knows where the sensitive consumer data hides on your DMS and the third party software applications that share your client and prospect database.  NOTE: Dealers' are now responsible for their customer data. Their liability doesn't stop at the edge of their lot, it now stretches out to your third party dealer service providers.
5. Approach your cybersecurity insurance provider about all this "Good-faith Compliance Effort" because they value and reward dealers with lower premiums and deductibles who attend to the needs of their cybersecurity in a "bundled" more comprehensive way.   SPECIAL STEP: If you're in the buy/sell due diligence process or even considering it, show your dealership's ability to protect its operational and sales value other dealers can't with the documentation of your good faith cybersecurity effort.”

Michael Tuno

President, ARMD Resource Group, LLC

“In October of 2021, the FTC updated the 2003 Safeguards Rule to reflect the sign of the times.  While the industry is buzzing about this update as if it is something new, it simply is a rule that is reflecting the current state of the industry and the ever-growing risk to dealers with protecting customer’s information, both paper and digital.

The term “qualified” has been added to describe the seemingly elusive role in a dealership of a “CCO”.  The need to document all the digital audits and deploy the risk mitigation steps like multifactor authentication etc. have been added.  An incident response plan to document the dealer’s plan to deal with a breach has been added.  Vendor risk management continues to be a critical task, even since the 2003 days.

The FTC is going to hold third parties responsible for any customer information in a more stringent light.  At the end of the day, on December 9, 2022, dealers are advised to document all these updates to the Safeguards Rule.  If it isn’t documented, it didn’t happen!   

At $43,792 per day per violation, not to mention UDAAP or UDAP, (especially if you are using the FTC boilerplate privacy policy at your store), it can get very expensive very quickly if this law’s requirements aren’t met.  Déjà vu!”

Hao Nguyen

General Counsel, ComplyAuto

“What we've seen is that the revised federal Gramm-Leach-Bliley Act's Safeguards Rule ("Revised Rule") continues to confuse dealerships across the country on how to exactly fulfill these new obligations. Many folks are talking about it -- their attorneys, state and national trade associations, and other dealers -- but none of them provide a cost-effective solution to meet the dealers' needs. 

We work closely with a dealership's IT company or third-party managed service provider ("MSP") as two halves to a pair of scissors to get the dealership fully compliant with the Revised Rule. We help create required documentation (the Information Security Program and all of the required plans that go with it), provide employee security awareness training, execute phishing simulations on employee emails, perform penetration testing and vulnerability scanning as well as risk assessments at the dealership, and help manage vendor requirements in signing Data Processing Agreements and completing vendor risk assessments.

Not only will this help fulfill the Revised Rule but also potentially affect cybersecurity premiums. If your clients have not experienced it yet, dealerships across the country tell us that their quoted premiums have increased two to three hundred percent for this year. Implementing our services to bolster your data protection and cybersecurity protocols will go a long way in showing them that you place a priority on data security and will possibly reduce your cybersecurity premiums (or get coverage in the first place).”

John Acosta 

CEO, Vtech Dealer IT

“Compliance is like a marathon. Come the end of the year; you want to be on mile 22 rather than mile 3 of the race. Some of the GLBA compliance requirements are major systems upgrades that take time to set up properly. Start planning now.” 

Of course, he’s right.  Here are other GLBA considerations:

Is all of your customer data encrypted?

Do you have endpoint protection throughout the dealership?

Do you have a data retention policy in place?

Have you implemented multi-factor authentication (MFA)?

Do you have a written “incident response plan?”

Have you completed cyber training for all employees?

 …and there’s more…

To practice optimal risk mitigation, here, begin by figuring out where your biggest areas of vulnerability are and build out your program from there.  Feel free to reach out to any of these folks (including me) if we can answer any questions.  We are happy to receive your call.  Cheers!