cybersecurity for automotive dealers

The cybersecurity and privacy demands on car dealers are growing at a rapid rate. Car dealers – many of whom process large amounts of sensitive PII – are now required to adopt certain mandatory cybersecurity and privacy safeguards to ensure the protection of client data. In October of 2021, the FTC implemented the new requirements, along with stricter penalties for noncompliance, to the tune of $11,000 in fines per day per incident. A summary of the new requirements is as follows:

• Car dealers must assign a program coordinator to be responsible for overseeing compliance of the rule.
• Car dealers must perform a risk assessment.
• Car dealers must develop an information security program and document it in writing.
• Car dealers must oversee their service providers.
• Car dealers must update, maintain, and train in relation to its information security program.

The new ruling creates the requirement for both a fiscal and time investment in order to meet compliance. Car dealers may choose to leverage a third party to assist in alleviating this pressure, or bring expertise in-house; the latter being the more costly option.