FTC Updates Data Breach Notification Form Allowing Dealer Vendor to File Consolidated Breach Notice on Behalf of Its Dealer Clients

What's new:  The Federal Trade Commission (FTC) has updated its Safeguards Rule data breach notification form. The new form now clarifies that a third party, such as a law firm or third-party vendor, is able to submit the notification on behalf of a financial institution. The form also adds a check box if the submitter would like to request a secure file transfer link to provide a spreadsheet of the names of the financial institutions on whose behalf the notice is being sent.

When such a filing occurs, the third-party may enter the following in the "Name of Affected Financial Institution" data field:  "Multiple car dealerships listed in the submitted spreadsheet."

Why it matters:  The FTC Safeguards rule requires financial institutions (including dealers) to provide an electronic notice to the FTC on the FTC's website as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information. This update to the breach notification form clarifies that third parties may file the form on a dealer's behalf but does not relieve dealers of any of the requirements in the Safeguards Rule, including the obligation to oversee their service providers. 

Tell me more:  Following two recent data breaches reported by third-party vendors that potentially triggered the breach notification requirement for auto dealers, NADA worked with the FTC and the vendors to have the vendors file a consolidated breach notice on behalf of their dealer clients. The old form did not have the capability to allow a vendor to file a consolidated breach notification. The updated form now allows for this capability. Dealers should coordinate closely with their vendors to ensure that any required data breach notices are filed in a timely manner. Dealers should also keep in mind that data breach notifications submitted to the FTC may be made public, whether the dealer submits them directly or through a third party.

Go deeper:  

• A Dealer Guide to the FTC Safeguards Rule
• CDK to File a Consolidated Breach Notification with the FTC on Behalf of Dealer Clients if CDK Determines that Federal Notification Requirement is Triggered
• 700 Credit to File a consolidated Breach Notice with the FTC on Behalf of its Dealer Clients

This memorandum is offered for informational purposes only and is not intended as legal advice. Consult an attorney who is familiar with federal, state, and local law addressing these topics and your operations for guidance on the legal sufficiency of your privacy practices. The presentation of this information is not intended to encourage concerted action among competitors or any other action on the part of dealers that would in any manner fix or stabilize the price or any element of the price of any good or service.