The Small Business Administration Office of Advocacy has joined auto industry groups in petitioning the Federal Trade Commission to give financial institutions and dealerships another year to meet the revamped Safeguards Rule as the compliance deadline nears.

Following a rule-making process dating to 2019, the FTC in October 2021 voted 3-2 to update the Safeguards Rule. The agency gave businesses until Dec. 9, 2022, to comply with the revised regulations, which are an element of the Gramm-Leach-Bliley Act governing consumer information security.

“While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses,” the FTC wrote in a May guide for companies. “It reflects core data security principles that all covered companies need to implement.”

The National Automobile Dealers Association, auto lender trade group American Financial Services Association, credit bureau organization Consumer Data Industry Association and collections association ACA International in July asked the FTC in a letter to extend the compliance deadline to Dec. 9, 2023.

“Our members appreciate the FTC’s work to protect customers’ information,” the four trade groups wrote. “At the same time, the residual effects of COVID-19 on the labor market and supply chain, as well as dueling regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to uplift their information security programs to meet the requirements in the Final Rule.”

The SBA Advocacy Office this month requested the same 2023 target date, arguing small businesses are at a particular disadvantage in attempting to comply. The advocacy office is an independent part of the agency and tasked with advancing the views of small businesses. Companies with 5,000 or fewer customer records are exempt from some of the rule’s requirements, but NADA leaders and compliance experts have said few, if any, dealers would likely be exempt.

“Because of the economies of scale, less robust recruiting and human resources budgets, and the waiting period for equipment that is being obtained by the larger companies, the problems that are outlined in the letter are magnified for small entities,” Major Clark III, SBA Advocacy Office deputy chief counsel, and Jennifer Smith, SBA Advocacy Office assistant chief counsel for economic regulation and banking, wrote to the FTC.

FTC spokeswoman Juliana Henderson confirmed Thursday that the agency had received the letters but said it had no additional comment.

Celia Winslow, AFSA senior vice president and regulatory expert, said last week that the FTC hadn’t yet replied to her group other than to confirm receipt.

“It’s been awhile since I’ve worked with the FTC on a rulemaking so I don’t know how often the agency agrees to a delay in implementation,” Winslow wrote in an email to Automotive News.

Jean Noonan, a partner at dealer law firm Hudson Cook and a former FTC enforcement director, said that historically, a request for a delay had a chance of success. However, “the new FTC is quite unpredictable.”

The industry needed the extra time, she said, because many small companies were “chasing scarce resources” to meet the requirements.

“They are really working very hard to comply,” Noonan said of dealerships, though “they’re a little late to the game.”

Many dealerships, particularly independents, lacked awareness of the change at first, she said.

Noonan acknowledged a “reasonably decent opposing view” held that the rule-making process ran a “very long period of time” — businesses have known it to be a possibility for a while — and already gave dealers a year for compliance. That’s “pretty generous” by regulatory standards, she said.

“Sometimes it’s 30 days,” she said, though something with the scope of the Safeguards Rule would be given more time. The agency already granted a delay during the comment period of the rule-making, and it might not be inclined to grant one on its execution, she said.

The updated Safeguards Rule lists nine elements that must be found in a dealership’s cybersecurity program. A business must hire or outsource a “qualified individual” to oversee the program and report to company leadership; assess risks and act to minimize them; have an incident response plan should a breach occur; test or monitor its system; train staff; monitor vendors for information security; and adapt the system to changes at the business or other developments.

NADA, AFSA and the other trade groups highlighted some of the challenges complying with all of this by Dec. 9.

The current market makes it difficult to hire qualified people — and cybersecurity staff might be in particularly short supply, they said. Supply chain issues make it difficult to get the equipment to upgrade information technology or code necessary software, the groups said. Competing privacy rules that have their own deadlines exist, such as California Consumer Privacy Act amendments, which start Jan. 1. A written risk assessment takes time and needs those elusive cybersecurity professionals, the associations wrote.

Businesses also must ride herd on their vendors, the groups said.

“This process is particularly cumbersome and time consuming. In many cases it is outside of the control of the covered entities themselves,” the associations wrote. “As a result, the difficulties many covered entities have in meeting internal compliance are only multiplied by the myriad differing service provider capabilities, technologies, receptiveness, and internal challenges of their own. Covered entities simply need more time to ensure their service providers are taking the steps required under the Final Rule.”
Audrey LaForest contributed to this report.