Skip to content
Adam CrowellOct 27, 20232 min read

FTC Will Require Dealerships to Report Data Breaches

October 27, 2023.  The Federal Trade Commission (FTC) announced it will require dealerships and other non-bank financial institutions to report data breaches involving unencrypted information on more than 500 consumers.

On October 27, 2023, the Federal Trade Commission (FTC) announced a revision to the FTC Safeguards Rule, a regulation aimed at protecting consumer information supplied to financial institutions.  The revision, which goes into effect in 6 months, requires dealerships and other non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization.

The data breach report must be submitted electronically through the FTC's website, and include:

  • the name and contact information of the business;
  • a description of the types of information involved;
  • the date or date range of the notification event;
  • the number of consumers affected or potentially affected;
  • a general description of the notification event; and
  • whether any law enforcement official has provided a
    written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

The data breach reporting revision comes on the heels of major changes to the FTC Safeguards Rule that went into effect on June 9, 2023, and included:

  • The designation of a “Qualified Individual” to implement, oversee, and enforce administrative, physical, and technical safeguards of an established a written information security program (ISP)
  • Mandatory and documented employee training
  • Creation and management of the following documents:
    • Initial and ongoing risk assessments
    • An information security program
    • An incident response plan
    • An annual report to the board of directors (or equivalent executive management)
  • IT requirements:
    • Enabling multi-factor authentication (MFA) on systems containing customer information
    • Encrypting systems containing customer information
    • Performing:
      • Continuous monitoring of information systems
        • Absent effective continuous monitoring, annual penetration testing and vulnerability scans at least every 6 months
  • Ongoing monitoring of:
    • Access controls to documents and data
    • Customer information storage
    • Disposal procedures
    • Change management procedures
    • Security practices
  • Assessing the risks of vendors with access to customer information, and contractually requiring them to meet or exceed the Safeguards Rule standards

To help dealerships prevent data breaches that would require notifications to the FTC and others, ComplyNet offers solutions that guide dealerships to implementing the proper technical, physical, and administrative security measures, while documenting and demonstrating compliance.  To learn more about ComplyNet's Privacy and Safeguards solutions, SCHEDULE A MEETING.


Adam Crowell

Adam is Vice President of Legal and Corporate Development at KPA and ComplyNet and is a licensed practicing attorney with over 21 years of experience primarily representing dealerships. Adam is a frequent speaker on the local, state, and national levels, including presentations to the National Automobile Dealers Association (NADA), the National Independent Auto Dealers Association (NIADA), and the National Association of Dealer Counsel (NADC).