Safeguards Compliance: Carrots and Sticks

“Why comply?” It’s a question a person in my line of work hears all the time. “Uh, because it’s the law?” is an answer I provide all the time, but if that were sufficient, people wouldn’t be asking me in the first place.

Is compliance a necessary evil to be accomplished at the lowest possible level, or a necessary and welcome part of running a modern business? It all depends on how you look at it.

The brutal truth is that there is a certain calculus to compliance. If the costs of compliance are too high, people tend to take their chances. It’s not that they don’t understand the legal requirements. It’s like Sal Tessio said in The Godfather before he gets whacked: “Tell Mike it was only business. I always liked him.”

The revised Safeguards Rule is a case in point. NADA estimates compliance could require an initial spend of $293,975 per dealership, plus another $276,925 per year in ongoing cost. Given such a high cost of compliance, a dealer could reasonably conclude it is better to self-insure and take your chances. It’s nothing personal — it’s just business.

So why comply with the Safeguards Rule when doing so is cost prohibitive? As always, there are carrots and there are sticks. Let’s look at the carrots first. As a preliminary matter, let’s consider the estimated cost of compliance NADA commissioned a consulting firm to compile. I have no doubt that a good-faith effort to comply with the rule can cost that much, but some of the assumed facts are changing rapidly.

One of the stated assumptions was that this cost was for a single dealership location. But approximately two-thirds of all dealer owners control more than one point, and there are economies of scale to some of the most expensive components to a robust compliance solution. Also, some other costs may be shared and spread across different locations. This will serve to drive down prices.

Also, there are companies springing up to address the demand for affordable compliance solutions in the retail automobile space. Indeed, this happened when the initial Safeguards Rule went into effect in 2003. Many of those companies disappeared, but some survived (mine included), and this vibrant competition fuels innovation and reduces costs. It will happen again.

Suppose the all-in cost of compliance could go down to $2,500 per location per month (it can). That’s still a cost most dealers would like to avoid. Which brings us back to the original question — why comply?

Another carrot is knowing that it is simply the right thing to do, and a necessary cost of enjoying a remarkable benefit: computer technology. A small dealer will spend around $5,000 per month for a dealership management system (DMS); an average dealer could spend $10,000-$15,000; and a large dealer with all the options could spend $30,000. Yet, not one of those dealers would consider doing business without a DMS. The cost of a DMS is a fraction of what it would cost to staff up and perform its myriad tasks manually. Dealers see it as a necessary cost of doing business.

Once you accept the need of collecting sensitive customer information and using computer networks to process and store it as a necessary element of running your business, the added cost of protecting that data seems to be reasonable and necessary. By way of analogy, consider gun ownership. Once you own firearms, it is necessary to keep them away from the wrong hands. It is also the law (at least in Florida where I live). Therefore, buying a gun safe (which is not cheap) and installing it (which is not easy) is a reasonable and necessary cost. If you buy a gun, you buy a means of protecting it. 

Then there’s the carrot of informed self-interest. Many dealers balk at the cost of protecting customer data, but what about protecting their own? Consider ransomware, the process whereby hackers infiltrate a network and lock up or encrypt its data. If the victim doesn’t pay a ransom (usually in Bitcoin or other cryptocurrency), the data is deleted.

Multinational insurance firm AIG reported a 150% increase in ransomware claims between 2018 and 2020. The auto industry is not immune. In February of 2021, ransomware attackers hit Kia Motors America. The hackers threatened to release sensitive consumer data if Kia did not pay the ransom they demanded. The notorious hacker group DoppelPaymer claimed responsibility for the attack. KIA denied an attack occurred but could not deny the system outage at the heart of the matter.

Dealerships are not immune. For example, Arrigo Automotive Group in West Palm Beach, Florida suffered a ransomware attack in December of 2019 that closed its operations for several days. Rather than pay the ransom, Arrigo installed an entire new computer network — at the cost of more than $285,000.

While it shifts focus and emphasis, securing your IT network from ransomware and other attack profiles will address most of the new requirements of the revised Safeguards Rule. Once you’ve properly identified network vulnerabilities and buttoned them down, much of the work under the rule is accomplished and protection of your customers’ data is an added benefit.

All of the above are compelling “carrot” reasons to comply with the revised rule, where costs are seen as reasonable under the circumstances and the benefits obvious to all. 

Then there are the “stick” reasons for compliance — the bad results that could flow from a failure to comply. These are compelling, too.

The first bad consequence to look at is the actual fines the FTC can assess, currently $46,517 per violation. This became a bit more complicated last year when the Supreme Court handed down a ruling that limits the FTC’s ability to pursue and collect those fines. In the case of AMG Management, LLC v. Federal Trade Commission, the FTC sought to recover a whopping $1.27 billion dollars from AMG Management, which it accused of deceptive practices with respect to payday loans. AMG challenged the FTC’s authority to assess any monetary penalties at all. 

In a remarkable and rare unanimous decision, the Supreme Court agreed with AMG, holding that Section 13(b) of the FTC Act, which the Commission used as authority to fine AMG, did not authorize the Commission to seek, or a court to award, equitable monetary relief. 

You shouldn’t read too much into this decision, and you certainly shouldn’t conclude that misbehaving dealers don’t need to fear substantial monetary fines. All it means is that — for now — you can’t be fined under the authority of Section 13(b) of the FTC Act. I say, “for now,” because efforts have already begun to revise that statute to expressly grant the FTC authority to seek monetary fines. That change could happen this year… or never.

In the meantime, the FTC has other enforcement options. For example, the FTC is required to submit its complaints to the Department of Justice before they can be filed in federal court. The DOJ then has 45 days to decide if it wants to take the case. If it does, the case could be filed under Title 18 of the United States Code, and Title 18 has even stiffer penalties than the FTC Act, including jail time. That’s a big stick.

Then there’s consumer lawsuits. Lose a customer’s personal information and you could be facing a lawsuit for negligence. For those who didn’t go to law school, negligence occurs when you have a duty to someone, and your breach of that duty causes damages. The Safeguards Rule (and many state laws) certainly imply dealers have a duty to protect their customers’ nonpublic personal information. If the breach of that duty causes damages (and such damages are generally presumed) — voilà! — you have a case for negligence. 

Not all negligence cases carry a serious risk of punitive damages. Cases surrounding fraud are more likely to result in punitive damages. Here’s where the stick gets really big: the FTC considers failure to follow the Safeguards Rule to constitute consumer fraud.

Here’s how. The Safeguards Rule and the Privacy Rule both flow from the same authorizing statute: the Gramm-Leach-Bliley Act of 1999. The Privacy Rule requires dealers to give customers a Privacy Notice. The Privacy Notice assures customers that the issuing dealer employs administrative, technical, and physical safeguards to protect their nonpublic personal information. That’s a promise. In writing. If you don’t employ administrative, technical, and physical safeguards, that’s fraud, at least in the eyes of the FTC — and the plaintiffs’ bar.

Finally, there’s the risk that the CFPB won’t let banks — which they directly oversee — buy the paper of dealerships that don’t demonstrate compliance with the rule. That could be the biggest stick of all.

Like the money you spend for a DMS, the money you spend to protect its contents could be the best check you write every month. It all depends on how you look at it. 

James Ganther is president of Mosaic Compliance Services and co-founder of Automotive Compliance Education.