Safeguarding Data: Service Providers Under the Spotlight
In the rapidly changing world of digital retail, maintaining the integrity and security of Customer Non-Public Personal Information (NPI) is more than just best practice—it's critical. Service providers (DMS, CRM, etc) must comply with the Graham-Leach-Bliley Act’s (GLBA) Safeguards, especially when it comes to the sharing of dealer data with other service providers. This was made clear in the 2019 Federal Trade Commission (FTC) Consent Order issued to DealerBuilt and is applicable to every service provider working with dealers today. In 2016, insecurities in DealerBuilt’s environment were exploited and a large volume of sensitive customer and employee data, stored without encryption or protection, was breached. The resulting data leak probably could have been caught if they had performed penetration testing or vulnerability scans. Because they are holding so much dealer data, the FTC expected them to maintain the same level of data security standards as their dealers.The FTC's intervention highlights the consequences service providers could face when not adhering to robust data security standards. Service providers who fail to adhere to the Safeguards Revisions that went into effect in 2023 risk long-term and costly governmental intervention into their business.
Understanding the Nuances: The Safeguards Rule
The FTC has made it clear that both dealerships and their service providers are classified as "financial institutions". Due to the fact that they process customer data on behalf of dealers, the FTC classifies service providers (DMS, CRM, etc.) as financial institutions. This means that the FTC will hold service providers in the automotive industry to the same data protection standards as it holds dealers, banks, lenders, and other financial institutions. To protect themselves, service providers must implement at least the same level of Safeguards as their dealer clients.
If a service provider fails to meet the Safeguards Rule standards, they could be liable for the negative consequences of a data breach at every single one of their dealers. Service providers must recognize this responsibility, not only to safeguard their dealers' data but to protect their reputation.
Service Provider Oversight
Therefore, under the revised Safeguards Rule, service providers must oversee their own service providers. These include provider with whom they share dealer data via partner integrations. According to the NADA Driven Guide to the FTC Safeguards Rule, this means they must:
- Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards of customer information
- Require service providers by contract to implement and maintain such safeguards
- Periodically assess service providers based on the risk they present and the continued adequacy of their safeguards
Do you take steps to ensure that your service providers maintain adequate procedures to protect your dealers' customer information and are able to detect and respond to potential security breaches?
As part of the Safeguards-required Systems Inventory, it is critical that you know where your dealers' customer information is going. In addition to getting the dealers' authorization for data sharing, you need to be able to pinpoint exactly what data is going to which integration partners for every dealer in your network. According to the NADA Driven guide, you must know:
- what customer data is being shared with which third-parties
- know enough about third-party IT infrastructure to determine whether their controls are adquate.
Are you confident in your ability to precisely track and assess the flow of your dealers' customer information to integration partners.
Activate: The Ultimate Solution for Service Providers
Without a tool, this quickly turns into an unreasonable burden. Amid these growing challenges and increased regulatory demands, Activate provides a robust solution for service providers aiming to adeptly navigate this terrain. Activate is uniquely positioned to help you address the following compliance challenges:
Activate offers a built-in mechanism for service providers to efficiently oversee their partners. This streamlines the process of ensuring that all associated service providers maintain the mandated safeguards and adhere to the best practices in data protection. With Activate, the cumbersome task of periodic assessments becomes a breeze, making it easier to evaluate and validate the risk management processes of all partner integrations.
Comprehensive Systems Inventory Management
One of the biggest challenges service providers face is tracking where their dealers' customer information is being sent. Activate provides a holistic view of data flow, ensuring service providers can quickly understand which customer data is being shared and with whom. This not only adheres to the requirements of the Safeguards rule but makes the process efficient and hassle-free.
Streamlined Authorization Process:
Activate understands the criticality of dealer authorization for data sharing. It simplifies the process, making it straightforward for dealers to grant their authorization. It also will facilitate regular reauthorizations. This ensures all data sharing remains transparent and authorized.
In conclusion, the challenge of maintaining data sharing compliance without a dedicated tool can be daunting. Activate takes this burden off of service providers by leveraging our network to make your dealer service activation process simple and pain-free.
In an era where data security and compliance is not just a matter of best practice but a critical obligation, Activate stands out as the go-to solution for service providers. It not only helps you safeguard your dealers' customer NPI but also ensures that your integration partners meet the rigorous standards set by the FTC. By choosing Activate, service providers are not just choosing a tool; they are choosing peace of mind.