The Cost of Compliance Just Went Up. Again.

The unintended consequence of the revised Safeguards Rule is that, faced with high costs, a dealer may reasonably believe that doing nothing is an attractive option. That option is attractive, but not viable. - IMAGE: GettyImages.com

The unintended consequence of the revised Safeguards Rule is that, faced with high costs, a dealer may reasonably believe that doing nothing is an attractive option. That option is attractive, but not viable.

IMAGE: GettyImages.com

In the beginning was the Gramm-Leach-Bliley Act, at least when it comes to dealership awareness of consumer data security issues. And the Gramm-Leach Bliley Act begat the Safeguards Rule, which has been the law of the land since 2003.

The original Safeguards Rule was a model of brevity, at least by the standards of government regulation.  Weighing in at just 786 words, the original Rule was designed to be “flexible,” which made sense – what is reasonable for an international credit card company might not be reasonable for a dealership that moves 75 units/month in Des Moines. That reasonableness standard became a dealer’s best friend.

While the flexibility of the original Rule was seen by dealers as a strength, from the regulators’ perspective it was a weakness. In practice, it created an additional layer of proof that could be hard to meet: What, exactly, is a “reasonable” safeguard under the unique circumstances of each industry to which the Rule applied?

It was this issue, in part, that led to the revised Safeguards Rule, published on December 9, 2021, and comprised of nearly 5,000 words. What was once a subjective standard became objective; certain safeguards had to be in place whether it was reasonable in the dealership environment or not.

For example, the original draft of the revised Safeguards Rule, put out for comment in 2019, required all entities covered by the Rule to have a Chief Information Security Officer, or “CISO.” This makes sense for American Express – they have one; his name is Fred – but for that 75-unit/month dealer in Des Moines? Not so much. A credentialed CISO can easily cost $200,000 per year, plus health benefits, 401(k) and a company car. 

The final Rule omitted the express requirement that all covered entities have an actual CISO on staff (thank you, NADA), but the new version of the Rule replaces that with a requirement for a “Qualified Individual” to oversee the entity’s Written Information Security Program (“WISP”). But what constitutes the necessary qualification? As I write this, there is no clear answer.

NADA published a study it commissioned in 2019 estimating the cost of complying with the revised Rule as it was then understood. The one-time costs to get the ball rolling were estimated at a jaw-dropping $293,975 per franchised dealership, with ongoing costs of $276,925 per year. 

Ouch.

There is some good news here, but only a little. The estimated cost of data encryption, for example, could be eliminated for dealers that use service providers that offer that function for free. In the three years since NADA commissioned its study, that became much more prevalent in the marketplace. Dealers would be well-served to investigate that option.

In a like vein, Multi-Factor Authentication (“MFA”) has also become more common as a free component of web-based services. Biometric authentication, whether facial recognition or fingerprint reading, is now common on smart phones and many workstations. So, some costs may effectively be avoided.

Unfortunately, those areas, while significant, are not where the biggest costs reside. Here is a brief list of the new Safeguards obligations and their likely cost impact:

  1. Designation of a “Qualified Individual” to oversee the program. While not as pricey as hiring a full-time CISO, it is not certain that a current dealership employee will qualify as being, well, qualified.  Under the final Rule, this function may be out-sourced, though responsibility for the CISO’s functions remains with the dealership. And the Program Coordinator (already required under the old Rule) needs to be “qualified” to oversee the third-party Qualified Individual.  Assume a minimum of $9,360 per year for the outside Qualified Individual (48 hours per year at $195/hour), plus training expense for the inside Program Coordinator to oversee the third-party.  That training cost is accounted for below under item 13.
  2. Requirement of a written risk assessment. This is more than a creative writing project. A satisfactory written risk assessment must roll up and analyze the findings of specific inventories and assessments, and certainly requires – dare I say it? – a qualified individual. That person does not necessarily need to be theQualified Individual, and could be an existing dealership employee. It is possible to work with an outside consultant for the initial risk assessment and then take the task in-house down the road. For this estimate, that’s the approach we’ll take. Assume a 120-hour effort at $195/hour, or $25,900.
  3. Access controls. This is a different function than MFA, below. This entails ensuring, for example, that employees can only access the data they need for their job description, or that customers can only access their own files. This cost is difficult to tease out of other costs that touch the topic, and is not separately priced here.
  4. Data/systems inventory. This is absolutely mandatory – a dealership can’t protect assets it doesn’t know it has. For purposes of this estimate, its cost is included in the risk assessment, for which it serves as a foundation. 
  5. Data encryption. For dealers that don’t get this function for free elsewhere, expect to pay $3,000 per year.
  6. Secure development practices. To be fair, how many dealerships are developing their own software? For those that do, we’ll go with NADA’s estimate of $37,500 per year. At that cost, many smaller dealers may just elect to give up the practice and live with commercial off-the-shelf software.
  7. Multi-factor authentication. Again, dealers may be able to get this feature for free from existing vendors. For those that don’t, expect to pay between $6,000 and NADA’s estimated $18,500 per year, depending on the size and complexity of your actual IT environment.
  8. Systems monitoring and logging. Dealers must implement a system to monitor the use of IT assets by authorized users and detect unauthorized users. NADA estimates that cost at $29,000 per year.
  9. Secure data disposal procedures. You know that big Shred-It truck that shreds your old deal jackets? Imagine that function to scrub all your IT assets clean before destroying them at the end of their useful lives. Just throwing them in a dumpster won’t do, nor will donating them to a worthy cause. Expect to pay $3,000 – $10,000 per year.
  10. Change management procedures. Dealers must devise and document a plan for maintaining the security of their IT network, and pay someone to ensure that plan is consistently followed and documented. Expect to pay the NADA estimated cost of $2000 per year.
  11. Unauthorized activity monitoring. This sounds like it heavily overlaps item 8 above, so we’ll assume it’s cost is covered there.
  12. Intrusion detection/vulnerability testing. This is where things get pricey in a hurry. This service is typically charged per item being monitored, and that cost can easily reach $10 per monitored item.  How many items does a typical dealership location have? Add workstations, firewalls, switches, routers, phones, tablets, etc. and the number can easily reach 250 per store. That adds up to $30,000 per year, and there is no easy way around this, nor should their be. Other than human factors, this may be the most important security function a dealership undertakes.  
  13. Enhanced training for general employees and information security personnel; verifiable process of keeping information security personnel current on emerging threats. This sounds like a lot, and it is. But this function can be addressed for about $4,000 per year per rooftop, regardless of the store’s size.
  14. Selecting, overseeing and monitoring Service Providers. This is hard to automate. Expect to pay from $6,000 to $12,000 per year, depending on the number and nature of a specific dealership’s service providers.
  15. Written incident response plan. NADA’s estimate of $6,625 per year seems about right.
  16. Annual written report to Board or Senior Management. This cost can run from close to zero for a dealership that wants to do this entirely in-house (not advised, at least the first time) to NADA’s estimated $9,000. For the first year, at least, I’d go with NADA’s number.

Based on the above assumptions, a prudent dealer can expect to pay from $162,385 to NADA’s estimated $276,925 per year, or $13,532 to over $23,000 per month.  

The unintended consequence of the revised Rule is that, faced with those costs, a dealer may reasonably believe that doing nothing is an attractive option. That option is attractive, but not viable. Next time, we’ll discuss how to satisfy the new Rule’s requirements without breaking the bank.

James S. Ganther is President of Mosaic Compliance Services and a co-founder of Automotive Compliance Education.