Under the Gramm-Leach-Bliley Act, auto dealers are treated as financial institutions — which means the information in every credit application falls under a federal data-security rule. This is a high-level walk-through of what that rule is and what it asks of a dealership.
The FTC Safeguards Rule is the part of the Gramm-Leach-Bliley Act¹ that tells "financial institutions" how to protect the customer information they hold. For an auto dealer, that information is the credit application — and the rule asks for a written security program built around a named owner, a risk assessment, and a short list of concrete safeguards². This brief lays out what the rule is, who it covers, and what it requires — no product, no pitch.
GLBA defines a financial institution broadly: any business significantly engaged in a financial activity. Because dealers routinely take credit applications and arrange financing, the FTC treats them as financial institutions — and the data in those applications is nonpublic personal information the Safeguards Rule is written to protect.
The rule requires an actual written program (a WISP) — reasonably designed for the size and complexity of the dealership and the sensitivity of the information it holds. Everything below lives inside that document.
One named person must be responsible for overseeing, implementing, and enforcing the program. It can be an employee or an outside provider, but the dealership keeps ultimate responsibility either way.
The program has to be built on a documented assessment of the reasonably foreseeable internal and external risks to customer information — and refreshed when the business or the threats change.
Access to customer information is limited to those who need it. That means authentication, periodic review of who has access, and removing it when a role changes or an employee leaves.
Nonpublic personal information must be encrypted both at rest and in transit. Where encryption is infeasible, the Qualified Individual may approve an equivalent control in writing.
MFA is required for anyone accessing systems that hold customer information — unless the Qualified Individual approves a reasonably equivalent control in writing.
Customer information must be securely disposed of no later than two years after it was last needed, unless a legitimate business reason or a legal hold requires keeping it longer.
Vendors that touch customer data have to be selected for their safeguards, bound by contract to maintain them, and reassessed over time. The credit-app pipeline runs through a lot of third parties.
The program must include a written plan for responding to a security event — roles, internal processes, communications, and how the plan is evaluated and revised after an incident.
The program also has to be tested or monitored over time, supported by security-awareness training for staff, kept current as risks change, and reported on in writing — at least annually — to a board or senior officer.
A 2024 amendment added a reporting duty. If a security event involves the unencrypted nonpublic personal information of 500 or more consumers, the dealer must notify the FTC as soon as possible — and no later than 30 days after discovering it — through the FTC's online portal.
That federal notice is separate from any obligation a state breach-notification law may impose, which can carry its own timeline and its own audience.
The Safeguards Rule is one obligation among several that touch the same customer data. These sit alongside it — they don't replace it.
A separate FTC rule that requires an identity-theft prevention program. It overlaps with Safeguards at the dealership but is its own obligation — protecting against identity theft, not just securing the data.
GLBA's other half. The Privacy Rule governs the notices you give customers about how their information is shared; the Safeguards Rule governs how you protect it. Most dealers owe both.
A growing number of states impose their own data-security and consumer-privacy duties. They sit on top of the federal rule — they don't replace it — so a dealer can owe both at once.
Because dealers regularly arrange or extend financing. Under the Gramm-Leach-Bliley Act, any business “significantly engaged” in financial activities is a financial institution for the FTC's purposes. Taking credit applications and arranging vehicle financing puts most franchise and independent dealers squarely within the Safeguards Rule.
Nonpublic personal information (NPI) — the customer data a dealer collects in connection with a financial product or service. In a store, that's the contents of a credit application: name, address, Social Security number, driver's license, income, bank and account details, and the like.
The single person designated to oversee and enforce the information security program. The rule doesn't require a specific certification, and the role can be filled by an employee or an outside service provider — but the dealership remains responsible for the program regardless of who holds the title.
The FTC expanded the rule with specific, prescriptive requirements — a named Qualified Individual, a written risk assessment, encryption, MFA, an incident response plan, and more — most of which took effect in June 2023. A later amendment added a breach-notification duty that took effect in May 2024.
Under the notification amendment, a dealer must notify the FTC as soon as possible, and no later than 30 days after discovering a security event involving the unencrypted nonpublic personal information of 500 or more consumers. The notice is filed through the FTC's online portal.
No. It's a federal floor. State privacy and data-breach laws can impose additional notice timelines and consumer rights that apply on top of the federal rule, so a dealership often has to satisfy both at the same time.
This brief is published by Automotive Risk Management Partners, which works across the full range of dealership obligations — OSHA, EPA, the FTC Safeguards Rule, F&I, and data security. A few companion references: