Data Security

Yes – Data Compliance Applies to You

One of the biggest misconceptions among powersports dealers is the belief that many state and federal compliance regulations do not apply to them. Nothing could be farther from the truth! In many states, motorcycle dealers are covered under “New Motor Vehicle Dealer” statutes that were written for automotive retail. Eight states have laws that specifically address powersports dealers. Another 17 states have “Franchised Dealer” statutes that define a dealer agreement as a franchise agreement, regardless of what an OEM wants to call it. Dealer-OEM relations may also be covered by multiple laws within a state.

From a federal regulatory standpoint, the Federal Trade Commission has regulations that impact automotive, recreational vehicle, and powersports dealers nationwide. Beginning on June 9, those compliance requirements will expand significantly as the updated Safeguards Rule goes into effect. These stringent requirements relate to information security practices in your dealership. In our current environment of data breaches, security hacks and stolen identities, failure to comply with these requirements could mean expensive fines, lost trust from your customers, lenders, and the community, as well as crippling cybersecurity issues. Let’s break down the details and see what steps you need to take to protect your dealership and your customers.

What is the Safeguards Rule?

Originally enacted in 2003, the FTC amended the Safeguards Rule in 2021 but extended the deadline for compliance to June 9th of this year, giving dealerships more time to incorporate the needed equipment, training and procedures. Specifically, the new requirements include:


Consumer Privacy in Powersports

Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

Do you know someone who was affected by the Equifax data breach? How about the Verifone hack or, the breach within the Internal Revenue Service (IRS)? According to the Identity Theft Resource Center® (ITRC) and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.

A study of more than 10,000 consumers by Gemalto, a data security firm, stated 70 percent of consumers would stop doing business with a company if it experienced a data breach. And, 69 percent feel businesses don’t take security of consumer data very seriously.

Powersports dealers have been regulated on consumer privacy ever since the Gramm Leach Bliley Act was passed in 1999. Under Gramm-Leach Bliley, dealers are required to implement, and regularly audit, a written “Information Security Program,” to protect information about its customers. This is called the Safeguard Rule. However, in 1999, digital data breaches were not even a feasible consideration for most dealers.

To date, these “Information Security Programs” detailed how to physically secure private consumer data. It’s because of these programs that most F&I offices are locked, and dealership management pays very close attention to make sure no private consumer information can be displayed on a desk or computer screen for anyone to see.

While these procedures are important, they now need to be augmented to incorporate every possible way a consumer data breach could occur. From a physical standpoint, this includes training the sales team on how to properly manage private consumer information. For example, let’s say a salesperson made a copy of a driver’s license for a test drive and the consumer ended up leaving the dealership without purchasing. What does the salesperson do with that photocopy? Do they just put it in their desk trash bin, or do they put it in a secure shredding bin? If they just put it in their desk trash bin, that data is not secure. Anyone could come and take that photocopy out of the trash.