Non-Compliance with FTC Safeguards Rule: What Auto Dealerships Need to Know

Editor's note: This post was originally published on November 8, 2022 and has been revised for clarity and comprehensiveness.

Auto dealerships are under increasing pressure to safeguard sensitive customer information—and for good reason. Cybercriminals are targeting dealerships more frequently, and federal regulators are cracking down on those who fail to protect consumer data.

One regulation that’s turning heads across the industry is the FTC Safeguards Rule, an update to the Gramm-Leach-Bliley Act that imposes strict data security requirements on businesses classified as financial institutions—including dealerships that handle financing, leasing, or credit approvals.

Failing to comply isn’t just a technicality—it can cost your dealership tens of thousands of dollars per day in fines, damage your reputation, and even shut down operations temporarily after a data breach. 

At Intelligent Technical Solutions (ITS), we work with dealerships across the country to help them meet cybersecurity and compliance standards. In this article, we’ll walk you through: 

• What the FTC Safeguards Rule requires 
• The financial and legal consequences of ignoring the rule 
• How to get compliant—before you get fined

Let’s break down what your dealership needs to know to stay protected and penalty-free. 

What Is the FTC Safeguards Rule? 

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), which mandates that financial institutions—including auto dealerships that offer financing or collect consumer credit data—implement measures to protect customer information. 

Key Requirements Include: 

• Risk assessments: Identify internal and external risks to customer information. 
• Encryption: Protect customer data in transit and at rest. 
• Multi-factor authentication (MFA): Enforce MFA for access to customer data systems. 
• Qualified individual: Designate someone to oversee and implement the information security program. 
• Employee training: Regularly train staff on handling sensitive data. 
• Incident response plan: Create a documented plan for responding to data breaches. 
• Vendor oversight: Ensure service providers also adhere to data protection standards.

This rule officially went into effect on June 9, 2023, and the FTC expects dealerships to be fully compliant. 

5 Consequences of Non-Compliance with the FTC Safeguards Rule   

The consequences you could face by non-compliance to the amended rule are worse than a slap on the wrist. It can cause significant damage to your company and goes beyond fines and penalties. Take a look below at some of the major blows your dealership might face if you fail to comply:  

1. Expensive Fines

The new rule authorizes the FTC to impose fines on dealerships that don’t comply. The maximum fine you can incur is $50,120 per day per occurrence of a breach. Of course, the FTC will not impose fines for the first offense. However, they can enforce other financial penalties. The agency can seek damages for consent violations which could total over $43,000 per day for each violation. That’s a hefty sum for any business to shoulder.  

2. Extensive Penalties

The list of penalties that you could incur with non-compliance is long and heavy. And, based on other non-compliance cases handled by the FTC, they will not shy away from enforcing those penalties to the full extent of the law. You could face long-term consent decrees or extensive injunctive relief, which could significantly hamper your business operations. These penalties can force you to cease certain activities in relation to your violation.   

3. Litigation Risks

As we mentioned before, the consequences of non-compliance go beyond fines and penalties. It could open your dealership up to potential liability for deceptive practices. That means you could be sued in case of a security breach if you are found to be non-compliant with the Safeguards Rule. In addition, there are cases wherein you will also have to notify victims after a breach. That greatly increases the risk of litigation.  

4. Reputational Damage

Damage to your dealership’s reputation is one of the most obvious and unfortunate after-effects of a security breach. Not only will it impact your customers’ trust, but it can also worsen your relationships with suppliers and other affiliates. That could hamper your ability to transact as you could run the risk of banks not buying your paper. In fact, many banks are already sending addendums to this effect to many dealership groups.  

5. Data Loss

There’s a reason the FTC updated the Safeguards Rule, and it’s not to make it harder for business owners like you. The rule was amended to help you protect your business and customers from data breaches. Your data is valuable, and cybercriminals know by how much, so they will stop at nothing to get their hands on it. They’re hard at work trying to get your information; if they succeed, it could cost you millions of dollars. 

In fact, the US holds the title for the highest cost of a data breach for the 14th year in a row in 2024. The study found that the average data breach in the country costs $9.36 million, almost $5 million more than the global average. The more stringent FTC Safeguards Rule could help get that number under control.