According to the nonprofit Identity Theft Resource Center, more than half of all small businesses in the US experienced at least one security or data breach in 2021, a 17 percent increase from 2020, at an average expense of $250,000 to $500,000 per incident. As automotive lenders and dealers increase their use of digital sales and technology to house personal and confidential information, data breach incidents have a direct impact on both revenue and regulatory compliance.
The Safeguards Rule
The Federal Trade Commission issued a final rule that amends the Safeguards Rule (the “Rule”) that went into effect January 10, 2022. The Rule places requirements on “financial institutions” regarding information security programs and the use of customer information. The amended rule notably expands the “financial institution” definition, which is now applicable to debt collectors and certain debt buyers, among others. Many businesses are now finding themselves subject to the Rule for the first time.
Update: Prior to the revisions, the Rule required covered entities to perform a risk assessment and then develop and implement safeguards to address identified risks. Now, risk assessments must include specific criteria and be in writing.