In the fast-evolving world of automotive retail, dealerships face increasing pressure to meet regulatory expectations and protect sensitive data. As vehicles become more connected and reliant on artificial intelligence (AI), the risks tied to data breaches and cybersecurity failures grow more serious—and more costly.
For dealerships, the message is clear: compliance is not a one-and-done task. It requires consistent attention, routine training, and proactive planning. Learn more about staying compliant with the legal experts at Charapp & Weiss.
Why the Privacy and Safeguards Rules Still Matter
Dealerships have long been subject to the FTC’s Privacy Rule, which was established under the Gramm-Leach-Bliley Act. If your dealership provides or arranges financing, leases, or offers financial counseling, you’re required to give consumers a clear notice about how their personal financial information is collected, shared, and protected.
These notices must explain what kind of data is collected, how it’s used, and whether it’s shared with third parties. Just as importantly, consumers must be given the opportunity to opt out of certain data sharing practices. Ensuring these notices are current and provided consistently as part of the deal process is a key part of regulatory compliance.
On top of the Privacy Rule, dealerships must also comply with the FTC’s Safeguards Rule, which was recently updated to impose even stricter requirements. Dealerships now need a comprehensive, written information security program. This isn’t just about checking a box—it’s about designing and maintaining safeguards to protect sensitive consumer data.
The Rule also requires prompt reporting of data breaches affecting 500 or more individuals. If a dealership’s system is breached, the FTC must be notified within 30 days of discovery.
Cybersecurity Risks Are Driving Urgency
The rise of software-defined vehicles (SDVs) and AI-powered features has transformed the modern automobile—but it’s also opened the door to new vulnerabilities. Recent high-profile incidents highlight just how serious these risks are.
For example, a flaw in Subaru’s STARLINK connected vehicle platform exposed user data and even gave hackers remote control over vehicle systems. Kia also faced an incident where bad actors could access owner data and control vehicle functions using just a license plate number.
And these aren’t isolated cases. Automotive cybersecurity incidents have been on the rise, leading to recalls, legal claims, and reputational damage. As vehicles become more reliant on over-the-air updates, autonomous systems, and cloud connectivity, the margin for error is shrinking.
What Dealerships Should Be Doing Right Now
Even though cybersecurity vulnerabilities often start at the manufacturer level, the legal and financial fallout can land squarely on dealerships. That’s why it’s essential to take preventative steps.
Start with your own processes. Any time a vehicle is traded in, returned from loan, or reassigned as a demo, your team should have a reliable way to wipe any stored customer data. Failing to do so could result in privacy violations—or worse, a breach.
Cyber insurance is another critical area. Standard garage policies typically don’t cover data breaches, so speak with your broker about separate endorsements that will protect your business if an incident occurs.
Dealers also need to stay informed about vulnerabilities in the vehicles they sell. Selling a car with a known (or knowable) cybersecurity flaw could lead to claims of negligence or breach of warranty. Monitoring manufacturer bulletins and recalls is more than a best practice—it’s a defense strategy.
Internally, dealerships must also secure their own networks and customer databases. This includes isolating dealership systems from connected vehicle platforms and ensuring all consumer data is encrypted and handled in compliance with federal and state privacy laws.
Working with a compliance provider can be a valuable investment. Companies like ComplyAuto help dealerships implement cybersecurity protocols that meet evolving standards under the Safeguards Rule and state privacy regulations.
Looking Ahead
Finally, be prepared. Dealerships should have a clear incident response plan in place. This includes knowing how to react, who to notify, and what steps to take if a breach occurs. It also means making sure you’re indemnified by manufacturers when flaws in their systems lead to lawsuits or financial losses.
As vehicles get smarter, so must dealerships. Compliance and cybersecurity are no longer back-office concerns—they’re core business priorities. Charapp & Weiss is here to help you stay ahead of the curve, protect your operations, and meet your legal obligations with confidence.