FTC's plan too costly to dealers, NADA says

Potential revisions to federal data security rules could add billions of dollars in costs to U.S. auto dealerships in total, as stores already are slumped under the weight of shrinking margins and slowing new-vehicle sales.

Proposed changes to the Federal Trade Commission's Safeguards Rule, which dictates how financial institutions protect consumer data, would require dealerships nationwide to shell out hundreds of thousands of dollars each annually to comply, on top of what they spend to comply with other regulations, leaders of the National Automobile Dealers Association contend. NADA opposes the proposed changes and is asking the FTC to leave the rule as it is.

"The numbers are staggering, even if we're off by 10 or 20 percent," NADA President Peter Welch told Automotive News.
The association estimates the total expense incurred by U.S. franchised dealerships could top $2.2 billion in initial startup costs, plus $2.1 billion per year in ongoing costs.

"It puts a squeeze particularly on our smaller dealers," Welch said.

In addition to higher costs for dealers, the proposed provisions may not even prevent some of the breaches, as intended, dealers and dealer advocates say. Lower compliance could be a consequence. But auto retailers' views aren't universally supported: Consumer advocates say any extra expenses should be the cost of doing business if that business includes financial transactions.

Some dealership software companies, including prominent dealership management system providers, told Automotive News they generally support enhanced data security. But they declined to comment directly on the proposals or share details of upgrades they might need to make should the FTC enact the changes.

DMS giant CDK Global Inc., for instance, told Automotive News in an email: "We consistently monitor and update security protocols based on changing regulations and requirements and we believe we are well-positioned to comply with the proposed changes to the (Gramm-Leach-Bliley) Safeguards Rule should they ultimately be adopted."

The Safeguards Rule, which took effect in 2003, implements the privacy provisions in the federal Gramm-Leach-Bliley Act. As it stands, the rule requires dealerships to designate a program coordinator; conduct risk assessments on software handling sensitive customer data; identify risks and design and implement safeguards to protect against them; oversee service providers; and periodically evaluate the program.

In its proposed changes, issued in March, the FTC seeks to strengthen the guidelines for how businesses considered financial institutions under the rule should protect consumers' private information as technology advances. The proposed changes are under consideration, FTC officials have said, with no timetable for a decision.

Auto dealers are required to follow the Safeguards Rule because they offer lease and financing agreements. In public comments to the FTC, submitted in August, NADA and the National Independent Automobile Dealers Association, which represents nonfranchised used-car dealerships, claim the FTC has not provided enough data to justify that the proposed rule changes will lead to meaningful improvements in data security.

"These new requirements reflect an unhelpful shift from a prudent reasonableness standard to a set of prescriptive requirements that may make sense for certain entities but are ill-suited to other financial institutions — in particular, for smaller entities," NADA wrote in its public comment.

NADA projected the cost the proposed requirements would place on auto dealers in a study of small and midsize dealerships.

Small dealerships would pay $220,400 initially and $217,800 in annual costs, NADA estimates. Midsize operations would pay $367,550 initially and $336,050 in annual costs. Dealerships would pay both the upfront and annual costs in the first year, according to NADA.

NADA's Welch called the estimates conservative, noting that it's difficult to say how many dealerships already follow some of the proposed requirements. Larger dealership groups may be able to take advantage of economies of scale to lower costs per store.

"While the numbers reflected in the cost analysis may be easily absorbable by a large, multi-billion-dollar financial institution, it will be prohibitive for many, if not most of our members, who simply do not have the revenue structure, or the margins to absorb costs of this nature and scale," NADA said in its comments to the FTC. Dealerships would have to pass along the costs to consumers, Welch told Automotive News.

Michael Alf, general manager at St. Charles Toyota in Illinois, said he's worried about additional expenses related to increased regulations.

"This is just another threat on the horizon of expenses going up," Alf said. "The hardest thing we deal with in the auto industry is the rise in expenses."

Jim Ganther, a dealer consultant and president of Mosaic Compliance Services in Tampa, Fla., said an unintended consequence of higher costs is lower compliance. A chief information security officer position — one of the FTC's proposed changes — could cost $150,000, he said. Companies can take other steps that protect data, as the Safeguards Rule intends, but don't cost a lot of money, from training employees to spot a phishing attack to installing locked doors to the F&I office, Ganther added.

Rather than tinkering with the existing rule, the FTC should focus on ensuring companies comply with current standards, he said.

"When you make following the rule prohibitively expensive, you increase the odds of ignoring it," Ganther said.

Dealers aren't alone in that claim. Trade groups representing industries as diverse as credit bureaus, wireless carriers and higher education similarly called for more flexibility and less one-size-fits-all in submitted comments.

Their argument, however, doesn't carry a lot of weight with consumer advocates, who generally praised the proposed changes in a joint comment to the FTC. U.S. Public Interest Research Group joined more than a dozen consumer and other advocacy groups, including the National Consumer Law Center and the Consumer Federation of America, in describing the proposals as "reasonable and common-sense measures that any company dealing with large amounts of consumer personal information should take."

"The [auto] industry is doing what it does well: It is putting a lot of associates and junior lawyers to work trying to scare the government," said Ed Mierzwinski, senior director of federal consumer programs for U.S. Public Interest Research Group.

Mierzwinski said dealers' compliance cost estimates are the "worst-case scenario" devised by paid consultants and that the FTC's final rule likely will incorporate more flexibility than industry associations claim it will.

"I would contend that it's being updated because it was way too vague before, but it's not going to become one-size-fits-all," he told Automotive News.

"The little car dealer doesn't have as much information about as many people [as a credit bureau], but at the same time can easily protect it."

The proposed changes follow high-profile data breaches in recent years, from Equifax to Target Corp. to Capital One. Dealers are not immune: DealerBuilt, a dealership software vendor in Mason City, Iowa, in June settled with the FTC after a 2016 breach that affected more than 12.5 million customers at 130 stores. The settlement was formally approved last week, according to the FTC.

It's not that auto dealers oppose taking steps to protect consumers' personal information. On the contrary, groups representing new- and used-car dealers say, their customers expect them to protect private data, and they have done so for years.

Rather, they argue, the FTC's proposed changes remove flexibility that has, for more than 15 years, allowed financial institutions to comply with the law in a way that fits their business.

Scott Dube, president of Bill Dube Hyundai in Wilmington, Mass., says dealerships carry consumer data that isn't necessarily implicated in the Safeguards Rule.

"You bring your car in for an oil change — that has nothing to do with being a financial institution, nor does the FTC see it that way," Dube said. "But how do I treat some data one way and other data another way, especially when they're all in the same system?"

Dube, a former president of the Massachusetts State Automobile Dealers Association and an NADA director, said he sees elements of the FTC proposal as a complete overhaul.

While he is uncertain exactly how much in compliance costs his dealership takes on each year, Dube estimated it was around $10,000.

NIADA, which represents more than 16,000 used-car dealers, pegged the ongoing, annual cost of compliance at $240,000 to $330,000, based on a survey of its dealership members and their information technology vendors.

"This particular rule puts a lot of cost implementation on small businesses without pointing to very specific results that will come," Shaun Petersen, NIADA's senior vice president of legal and government affairs, told Automotive News.

FTC spokeswoman Juliana Gruenwald told Automotive News the agency initially sought general feedback in August 2016, before proposed rule changes were drafted. The amendments released this year were "significant," Gruenwald said via email, prompting the agency to seek more comments before adopting a final rule.

Franchised dealers are likely in the same boat as independent retailers when it comes to filling the chief information security officer position, Dube said.

Dube's store has fewer than 30 employees and sells fewer than 100 vehicles, new and used, per month. Stores of this size will have particular trouble appointing a qualified person to that post, Dube said. NADA said its members estimated the salary required for that position could exceed $150,000 — though NADA used a much more conservative number related to outsourcing the position in the cost study it submitted to the FTC. NADA members also reported to the association that chief information security officer consulting services could cost as much as $10,000 per day.

Dube has no qualms about the position itself — only that it's unnecessary for every dealership. Multinational banks maintaining millions, if not billions, of customer records require a dedicated person to manage information security, he said.

But "in a small business, under 30 employees, you're going to hire a new, highly compensated employee that is purely an expense?" Dube said.

"That, to me, is a solution in search of a problem."