Why Auto Dealers Must Comply with the GLBA Safeguards Rule — and What Happens If They Don’t

Written By Keith Gosselin

If your dealership collects or stores customer financial information, you’re not just selling cars — you’re handling non-public personal information (NPI). That puts you squarely under the jurisdiction of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the Federal Trade Commission (FTC). Many dealerships don’t realize they’re legally considered financial institutions under the rule — and failing to comply can lead to six-figure fines, lawsuits, and reputational damage.

Why Auto Dealers Fall Under GLBA

Under the GLBA, any business that offers or arranges financing, leases, or extended warranties is considered a financial institution. That means auto dealers routinely collect consumer credit applications, process financing, and store payment or insurance data — all qualifying as customer financial information.

What the GLBA Safeguards Rule Requires

The FTC Safeguards Rule outlines key administrative, technical, and physical safeguards to protect customer data. Dealers must designate a Qualified Individual, perform a risk assessment, implement access controls, encrypt customer data, use multi-factor authentication, and oversee vendors. Regular monitoring, testing, and employee training are mandatory to maintain compliance.

What Happens If Dealers Don’t Comply

Failure to comply can lead to FTC penalties up to $50,000 per violation, ongoing monitoring, class-action lawsuits, and reputational damage. Lenders and insurers may also terminate business relationships with non-compliant dealerships.

How NIST, CIS, and ISO Frameworks Support GLBA Compliance

Dealers can strengthen compliance by aligning with established frameworks. NIST CSF 2.0 helps identify and manage risk, CIS Controls v8 provides specific safeguards like MFA and logging, and ISO/IEC 27001 offers a structured security management system.

Final Takeaway

Compliance with the GLBA Safeguards Rule isn’t optional — it’s essential to protect customer trust and your dealership’s bottom line. The cost of non-compliance far outweighs the investment in a structured cybersecurity program.

At Timber Island Technologies, we help auto dealerships design and implement GLBA-compliant security programs, vendor reviews, and employee training tailored to the automotive industry. Contact us today to schedule a consultation: www.timberislandtech.com/contact

Keith Gosselin
Next

Cyber Insurance Demystified: How to Protect Your Business and Meet NIST, CIS, and ISO Requirements