5 minute read
FTC Expands Data Security Requirements, Impacting Dealers
compliance feature FTC Expands Data Security Requirements, Impacting Dealers
By Robert Ebin, Esq. and Emily Hartman
Advertisement
At the end of October, the Federal Trade Commission (FTC) announced its expansion of the Safeguards Rule to better protect consumer financial information from cyberattacks and security breaches. The amended Rule’s most significant requirements will take effect one year from the date it’s published in the Federal Register, which means dealers will need to comply likely by the fourth quarter of 2022. Here are five things you need to know.
Rule Expands Data Security Requirements for Written Programs
For background, the FTC created the Safeguard Rule as part of a directive from the Gramm-Leach-Bliley Act. The Safeguard Rule has been around since 2003, directing financial institutions, which includes dealerships that extend credit and lease terms, to develop and implement a written information security program.
The updated Rule includes much more detail about the required elements that must be included in an information security program, like addressing access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
Identify One Qualified Individual to Oversee Data Security
or employees” to take responsibility for the information security program, but the new rule requires only one “Qualified Individual.” This person must write an annual status report and provide it to the board of directors or the business’s governing body. The report must cover overall status updates of the program, compliance, and all security breaches or events that occurred in the past year.
If You Have Less Than 5,000 Customers, You Could Be Exempt From Some Requirements
There is an included exemption for financial institutions that collect data on less than 5,000 customers. These organizations are exempt from certain requirements, including the written risk assessment, incident response plan, and submitting the report to the Board of Directors.
The Definition of Financial Institution Is More Expansive
The Safeguard Rule applies to any financial institution, which includes dealerships that extend credit and lease terms. The updated Rule now includes any organizations participating in activities that the Federal Reserve Board identifies as incidental to financial activities. This change brings “finders,” or companies that bring together buyers and sellers, under the Rule. Additionally, several other definitions were directly added to the Rule from the Privacy of Consumer Financial Information Rule.
Open Comment Period: Should Organizations Report Large Data Breaches to the FTC?
On top of the updates, the FTC announced a 60-day open comment period regarding whether or not the Safeguard Rule should be further amended to require financial institutions to report to the FTC any data breaches or other security incidents that impact 1,000 or more customers’ information.
What Should You Do?
Continue to monitor for more information from the FTC. Seek out your legal counsel to review your current policies and procedures, help determine what changes you’ll need to make, and figure out how you’ll make them in the coming year.
KPA is Here to Help
If you use KPA’s Vera F&I software and services, our customer information security training and consultants are here to help ensure you and your employees understand these changes and how they impact your business. Our Cybersecurity Training Package can help educate your employees on what to look for and prevent a data breach before one occurs. t
ERIK A. ROSS, SENIOR ASSOCIATE MILLIRON & GOODMAN
Modifying the Process for Impound and Salvage Vehicles
State Rep. Lynda Schlegel Culver has introduced House Bill 2064, which was referred to the House Transportation Committee on November 9, 2021.
SUMMARY OF HOUSE BILL 2064
The purpose of this legislation is to notify vehicle lienholders or lessors in a timely manner of the impoundment of a vehicle with their lien on it, and to allow the lienholder or lessor to recover the vehicle in a reasonable expeditious and unencumbered manner.
Currently in Pennsylvania, about 1,000 vehicles per month get hung up or go missing without notification to the lienholder or lessor.
Moreover, the legislation will allow lienholders and lessors an opportunity to prevent vehicles from being perpetually impounded and incurring storage fee costs by incorporating a process into law that enables an individual to get limited access to lienholder and lessor information so they can quickly determine if a vehicle can be crushed, scrapped, or sold at auction or if they need to contact the owner, lienholder, or lessor to notify them of the situation.
In addition, requiring lienholder or lessor notice will prevent “borrowers” who are not paying their car loans or leases from selling a liened or leased vehicle to a crusher or salvage dealer and having the vehicle crushed in exchange for cash.
Finally, this legislation provides the appropriate balance between ensuring lienholders and lessors can recover their vehicle collateral while not placing an undue burden on individuals in possession of the vehicle.
BACKGROUND
While the state Department of Transportation (PennDOT) strives for a less than a 2-week turnaround period to obtain a title, which is required under current law before a vehicle can be crushed, scrapped, or sold at auction, one of the problems is the accumulation of storage fees and fines during that 2-week period (or longer) before a lienholder or lessor is notified.
Another problem is that salvors or scrapper may believe they have legitimately obtained a vehicle and are simply waiting for a clean title from PennDOT. If they jump the gun and scrap or salvage the vehicle before receiving a clean title from PennDOT in a timely fashion, there is little recourse for the lienholder or lessor since going to civil court for a $5,000 vehicle does not make sense because the court costs will overtake the loss of the vehicle.
CONCLUSION
House Bill 2064 provides a timelier process to notify lienholders without running up big bills that cost the dealer, salvor or scrapper while waiting for verification. It also increases penalties for non-compliance to hold everyone accountable. t
Erik Ross brings over 30 years of experience in state government and lobbying to Milliron Goodman. He specializes in state government relations with a focus on transportation, energy, environmental, and public utility issues in one of the most innovative regulatory environments in the country. His duties include lobbying members and staff of the Pennsylvania General Assembly, executive departments, and regulatory agencies on behalf of clients. In addition, he serves as a liaison between clients and state government officials and assists in the drafting or amending of legislative and regulatory proposals.
Erik’s public sector experience includes positions as Research Analyst to the Chairman of the Senate Majority Policy Committee and Senate Environmental Resources & Energy Committee; and Legislative Assistant and Executive Assistant to the Pennsylvania Senate Majority Whip Mike Fisher from 1989 to 1993. His duties included management legislative/policy development; drafting legislation, amendments, and correspondence; assisting the Majority Whip on the Senate floor; and assisting the Senate Majority Leader’s staff on caucus-related projects. Milliron & Goodman will keep you apprised of any activity related to this bill by the House Transportation Committee.
