One of the biggest misconceptions among powersports dealers is the belief that many state and federal compliance regulations do not apply to them. Nothing could be farther from the truth! In many states, motorcycle dealers are covered under “New Motor Vehicle Dealer” statutes that were written for automotive retail. Eight states have laws that specifically address powersports dealers. Another 17 states have “Franchised Dealer” statutes that define a dealer agreement as a franchise agreement, regardless of what an OEM wants to call it. Dealer-OEM relations may also be covered by multiple laws within a state.
From a federal regulatory standpoint, the Federal Trade Commission has regulations that impact automotive, recreational vehicle, and powersports dealers nationwide. Beginning on June 9, those compliance requirements will expand significantly as the updated Safeguards Rule goes into effect. These stringent requirements relate to information security practices in your dealership. In our current environment of data breaches, security hacks and stolen identities, failure to comply with these requirements could mean expensive fines, lost trust from your customers, lenders, and the community, as well as crippling cybersecurity issues. Let’s break down the details and see what steps you need to take to protect your dealership and your customers.
What is the Safeguards Rule?
Originally enacted in 2003, the FTC amended the Safeguards Rule in 2021 but extended the deadline for compliance to June 9th of this year, giving dealerships more time to incorporate the needed equipment, training and procedures. Specifically, the new requirements include:
- Designate a qualified individual to oversee your information security program.
- Develop a written risk assessment.
- Limit and monitor who can access sensitive customer information.
- Encrypt all sensitive information.
- Implement ongoing security personnel training.
- Develop an incident response plan.
- Perform periodic assessments of service provider security practices.
- Implement multi-factor authentication, or another method with equivalent protection, for any individual accessing customer information.
What information must be protected?
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. Dealers routinely have access to PII when securing financing for a vehicle purchase. Do you know who within your dealership has access to PII, how they use it, and where it’s stored? Let’s look at the three phases that PII passes through during an average deal.
Data in Use
Your team is working with a customer at the beginning of the sales engagement process. The customer is completing the credit application and your employee is capturing critical information including driver’s license and insurance. How are you protecting the customer from being overheard/seen providing this information?
Consider implementing these security measures to protect your customer’s PII:
- Provide a private, secure place for customers to fill out all paperwork
- Rather than using paper forms, direct customers to fill out the credit application on your website
- Use privacy screens on all computer monitors and tablets
Data at Rest
Your dealership team has just sold a bike or UTV. What does your team do with the deal jacket, including handwritten credit apps, notices, installment agreements, etc.? Where is this data stored and is it secure? Who has access to it?
Evaluate your security measures to keep data safe while it is at rest, i.e., not being used.
- Do you utilize tried and true locked doors for secure areas of the dealership for finalized deal jackets?
- When working with a customer, are completed forms or drivers license copies left on desks, or are they stored in a locked drawer/office when not in use?
- How secure are your dealership’s digital files and how is access to those files managed?
Data in Motion
Your F&I team members are working with credit and lending institutions, exchanging communications, files and PII. How is the data transfer protected?
- Do you use a Secure File Transfer Protocol (SFTP) when sending or receiving PII? SFTP uses secure shell encryption to provide a high level of security for sending and receiving file transfers, like when your team submits a credit app to a lender.
- Is your website encrypted to protect your online credit application data? Speak with your hosting company about SSL certification – a digital certificate that authenticates the identity of a website and encrypts information sent to the server.
- Are your emails encrypted? Just as you protect your website, you need to also ensure your emails are encrypted to protect the content from being read by entities other than the intended recipients.
PII can be transferred from a customer to your website, a team member, a lender, your customer relationship management platform, your F&I administrator, and more. Consult your business partners and vendors to evaluate their practices and ensure all data transfer is protected.
If this seems overwhelming, our proven team of advisors can assist you with these critical evaluations as well as the training, tools, and resources needed to keep your dealership in compliance. At EFG Companies, we’re more than an F&I provider, we’re your business partner with years of expertise in the retail automotive industry. Contact us today to learn more about how our team can help you achieve your winning strategy.