Data Security Compliance in 2022

According to the nonprofit Identity Theft Resource Center, more than half of all small businesses in the US experienced at least one security or data breach in 2021, a 17 percent increase from 2020, at an average expense of $250,000 to $500,000 per incident. As automotive lenders and dealers increase their use of digital sales and technology to house personal and confidential information, data breach incidents have a direct impact on both revenue and regulatory compliance.

The Safeguards Rule

The Federal Trade Commission issued a final rule that amends the Safeguards Rule (the “Rule”) that went into effect January 10, 2022. The Rule places requirements on “financial institutions” regarding information security programs and the use of customer information. The amended rule notably expands the “financial institution” definition, which is now applicable to debt collectors and certain debt buyers, among others. Many businesses are now finding themselves subject to the Rule for the first time.

Update: Prior to the revisions, the Rule required covered entities to perform a risk assessment and then develop and implement safeguards to address identified risks. Now, risk assessments must include specific criteria and be in writing.


Consumer Privacy in Auto Lending

Brien Joyce Vice President EFG Companies
Contributing Author:
Brien Joyce
Vice President
EFG Companies

Do you know someone who was affected by the Equifax data breach? How about the Verifone hack or, the breach within the Internal Revenue Service (IRS)? According to the Identity Theft Resource Center® (ITRC) and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.

A study of more than 10,000 consumers by Gemalto, a data security firm, stated 70 percent of consumers would stop doing business with a company if it experienced a data breach. And, 69 percent feel businesses don’t take security of consumer data very seriously.

As a lender, you’ve probably paid very close attention to your policies and practices when it comes to securing consumer data, especially as you’ve migrated your business model to a mostly digital platform. However, your dealer partners have not felt the same pressure to ensure their data compliance. After all, it’s only been in recent years that auto dealers have begun to take fuller advantage of the digital resources available to store their documents and manage their customer relationships.

So, here’s my question for you. If a data breach occurs within a dealership and all the consumers they sent your way were affected, does that look bad on you? After all, the consumer thinks of you as their lender, not the dealership. While they may have filled out the loan application in a dealership, they most likely consider you the source of truth for their information. If a consumer has their identity stolen from their loan application and they place blame on you and the dealership, what are you to do?