Considering the nature of the data they deal with on a daily basis, it really is no surprise that auto dealerships have to uphold a variety of stringent data security standards based on the requirements of assorted regulations. Let’s explore these standards and review what they will require you to do.
Just a quick disclaimer: we’re IT experts, not legal experts. While we will be discussing some legally-mandated requirements that auto dealerships need to uphold, our specialty is properly putting them in place—not advising you on what you need to do in a legal sense.
Keeping this in mind, let’s go through the standards that today’s car dealerships need to keep in mind in terms of their information technology and data security.
Car Dealerships are Required to Uphold a Variety of IT-Related Legal Standards
On a national scale, there are assorted regulations that apply to automotive dealerships. For instance:
Gramm-Leach-Bliley Act
Auto dealerships offer financing to their customers as a way to make the prospect of purchasing a vehicle more manageable. However, this requires the exchange and storage of sensitive information. The Gramm-Leach-Bliley Act codifies how this information is to be protected and disclosed, ensuring that the consumer is given notice of how they can opt-out of certain communications and privacy messages.
The Fair Credit Reporting Act
The FCRA is a federal law meant to keep the information contained in a consumer’s credit bureau file accurate and private. Composed of a few different rules, the FCRA pertains more to credit reporting agencies, but auto dealerships are very much beholden to its requirements. These requirements include…
The Disposal Rule: This section of the rule requires that the information contained in a consumer report is properly disposed of, “…taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” In essence, this rule requires a business to adequately destroy the storage medium that contains this data.
The Red Flags Rule: This rule requires businesses to plan and enact a recorded Identity Theft Prevention Program that helps to spot potential events and react to them in an appropriate manner.
The Safeguards Rule: This portion requires that a dealership in possession of consumer information, such as financial data, takes the appropriate steps to protect that information from breach or misuse.
Furthermore, it was just last year (as of this writing) that the Federal Trade Commission added a few additional rules to the FCRA, applicable to only motor vehicle dealers:
- Address Discrepancy Rule: This rule outlines the procedures that must be followed when an auto dealership receives a notice of address discrepancy from a consumer reporting agency.
- Affiliate Marketing Rule: This rule allows a consumer the right to block the use of certain information obtained through an affiliate to make solicitations.
- Furnisher Rule: This rule requires entities that provide information to consumer reporting agencies to implement written procedures to ensure that the information provided is accurate and untampered with.
- Pre-screen Opt-Out Notice Rule: This puts restrictions on those who would use consumer report information to offer unsolicited credit or insurance offers to consumers.
- Risk-Based Pricing Rule: This requires those who would give a consumer less-favorable terms as a result of their consumer reports notice that this data was being used in such a way.
California Consumer Privacy Act
Before you say anything, yes, we know that California and Michigan are different places. However, with the CCPA granting California’s consumers the right to know what data a business collects, uses, shares, and/or sells about them with the ability to opt out or have this data deleted outright, many other states have been looking to emulate these rules. In short, it is probably a good idea to get a head start and adopt the practices that would put you in compliance with the CCPA.
Michigan Specifically Has a Few IT Regulations Auto Dealerships Need to Follow
Data Breach Notice Statute
Covered entities (including car dealerships) are required to notify their customers and regulatory bodies if a data breach takes place that impacts personally identifiable information—including any data or records concerning customers or previous owners of used vehicles.
Data Disposal Statute
Covered entities need to have established procedures to destroy records containing sensitive information once that information no longer needs to be retained. For the dealership, that means eliminating all information on a vehicle that pertains to the previous owner.
We’re Here to Help Ensure Your Dealership is Covered
When it comes to any legal regulations, you want to be sure you have an expert in your corner to watch your back. In terms of providing the managed services that will help keep your dealership running smoothly, we can serve as that expert for you.
Find out more about the benefits of working with Fuse Technology Group for your IT needs by calling 248.545.0800.