COMNEXIA
Automotive Dealership IT & FTC Compliance

How Should Auto Dealerships Manage Third-Party Vendor Risk Under the FTC Safeguards Rule?

Learn how auto dealerships must evaluate and manage third-party vendor security risks to comply with the FTC Safeguards Rule and protect customer data.

By COMNEXIA
#vendor risk management#dealership vendors#third-party risk#FTC Safeguards Rule#dealership compliance#DMS security#automotive IT

Auto dealerships rely on dozens of third-party vendors — DMS providers, payment processors, CRM platforms, F&I software, marketing tools, and more. Each one of these vendors touches sensitive customer data, from Social Security numbers to financial records. Under the FTC Safeguards Rule, your dealership is responsible for managing the security risks those vendors introduce, not just your own internal systems.

Since the updated Safeguards Rule took full effect in June 2023, the FTC has made it clear that third-party vendor oversight isn’t optional. Dealerships that fail to assess, monitor, and contractually bind their vendors to adequate security standards face enforcement actions, fines, and — worst of all — data breaches that can devastate customer trust.

What Does the FTC Safeguards Rule Require for Vendor Management?

The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions — which includes auto dealerships — to develop, implement, and maintain a comprehensive information security program. Section 314.4(f) specifically addresses service provider oversight.

Under this section, dealerships must:

  • Select vendors capable of maintaining appropriate safeguards for the customer information they handle
  • Require vendors by contract to implement and maintain security measures
  • Periodically assess vendors based on the risk they present and the continued adequacy of their safeguards

This isn’t a one-time checkbox. The FTC expects ongoing vendor monitoring as part of your dealership’s written information security plan. Your Qualified Individual — the person designated to oversee your security program — must include vendor risk in their regular risk assessments and annual reporting to dealership leadership.

Why Are Dealership Vendors a Major Security Risk?

Dealerships are high-value targets because they store and process large volumes of personally identifiable information (PII) and financial data. A single dealership may handle thousands of credit applications, driver’s license copies, insurance records, and bank account details every year.

The challenge is that much of this data flows through third-party systems your dealership doesn’t directly control:

  • DMS platforms (CDK Global, Reynolds and Reynolds, Dealertrack) store virtually everything — customer records, deal jackets, service histories, parts inventory, and accounting data
  • Payment processors handle credit card transactions at service desks, parts counters, and F&I offices
  • CRM and marketing platforms store customer contact information, purchase history, and communication preferences
  • F&I product providers access credit reports and financial documents
  • Website and digital retailing tools collect leads with personal information

The 2024 CDK Global cyberattack demonstrated this risk in dramatic fashion. When CDK’s systems went down, approximately 15,000 dealership locations across North America were affected, forcing many to revert to paper processes for weeks. The incident underscored how a single vendor compromise can cascade across an entire industry.

How Do You Build a Vendor Risk Assessment Program?

Building an effective vendor risk management program doesn’t require an army of compliance staff, but it does require a structured approach. Here’s how dealerships should think about it:

Step 1: Inventory All Vendors Who Touch Customer Data

Start by creating a complete list of every third-party vendor, contractor, and service provider that accesses, stores, processes, or transmits customer information on your behalf. Most dealerships are surprised by how long this list gets. Don’t forget:

  • DMS and software providers
  • Payment and lending partners
  • IT service providers and managed service providers
  • Cloud hosting and backup providers
  • Shredding and document destruction companies
  • Marketing agencies with access to customer lists
  • Phone system and communication platform providers

Step 2: Classify Vendors by Risk Level

Not every vendor presents the same level of risk. A vendor that hosts your entire DMS in the cloud represents far greater risk than a vendor that prints your business cards. Classify vendors into tiers:

  • High risk: Vendors with direct access to large volumes of customer PII or financial data (DMS providers, payment processors, F&I platforms)
  • Medium risk: Vendors with limited data access or indirect exposure (marketing platforms, phone systems, website hosts)
  • Lower risk: Vendors with minimal or no customer data access (office supply vendors, facilities maintenance)

Focus your deepest assessment efforts on high-risk vendors.

Step 3: Assess Vendor Security Practices

For high-risk and medium-risk vendors, you need to evaluate their security posture. Key areas to examine include:

  • Encryption: Do they encrypt customer data both in transit and at rest?
  • Access controls: How do they restrict who can access your data within their organization?
  • Incident response: Do they have a documented plan for handling data breaches, and will they notify you promptly?
  • Employee training: Do their staff receive regular security awareness training?
  • Certifications: Do they hold relevant certifications like SOC 2 Type II, ISO 27001, or PCI DSS compliance?
  • Backup and recovery: How do they protect against data loss, and what are their recovery time objectives?

Many larger vendors will provide SOC 2 reports or security questionnaire responses upon request. If a vendor refuses to share basic security information, that itself is a red flag worth documenting.

Step 4: Establish Contractual Requirements

The FTC Safeguards Rule specifically requires that vendor contracts include security obligations. Every agreement with a vendor handling customer data should address:

  • The vendor’s obligation to maintain specific security safeguards
  • Notification requirements in the event of a security incident or data breach
  • Your right to audit or assess the vendor’s security practices
  • Data handling requirements upon contract termination (return or destruction of data)
  • Restrictions on the vendor’s ability to share your data with subcontractors

Work with legal counsel familiar with automotive compliance to ensure your vendor agreements meet FTC expectations.

What Should Dealerships Look for When Evaluating DMS Provider Security?

DMS providers deserve special scrutiny because they are the backbone of dealership operations and hold the most sensitive data. When evaluating your DMS provider’s security:

  • Ask for their SOC 2 Type II report — this is an independent audit of their security controls over time, not just a point-in-time snapshot
  • Understand their data center and hosting infrastructure — where is your data physically stored, and what redundancy exists?
  • Review their breach notification policy — the FTC expects you to be able to notify affected customers promptly, which means your DMS provider must notify you first
  • Evaluate their disaster recovery capabilities — after the 2024 CDK incident, dealerships should be asking tough questions about recovery time objectives and business continuity plans
  • Check their track record — have they experienced breaches before, and how did they respond?

How Often Should Dealerships Reassess Vendor Risk?

The FTC doesn’t specify an exact reassessment frequency, but industry best practice — and what the FTC considers “periodically” — typically means:

  • Annual formal reassessment of all high-risk vendors, including review of updated SOC 2 reports and security questionnaires
  • Ongoing monitoring for reported breaches, regulatory actions, or significant changes at vendor organizations
  • Trigger-based reassessment when a vendor experiences a security incident, undergoes a merger or acquisition, or significantly changes their service offering
  • Contract renewal review as an opportunity to update security requirements

Document every assessment. The FTC looks for evidence that your dealership is actively managing vendor risk, not just checking a box once and forgetting about it.

How Can a Managed IT Provider Help With Vendor Risk Management?

Many dealerships — especially single-location or small group operations — don’t have dedicated compliance or IT security staff. This is where working with a managed IT provider experienced in automotive dealership environments becomes valuable.

An experienced automotive dealership IT partner can:

  • Conduct technical security assessments of your vendor ecosystem
  • Help you develop and maintain your vendor risk management documentation
  • Review vendor SOC 2 reports and security questionnaires with expert eyes
  • Monitor your network for unauthorized vendor access or data exfiltration
  • Assist with incident response coordination when a vendor experiences a breach
  • Provide the technical expertise your Qualified Individual needs to fulfill their FTC reporting obligations

At COMNEXIA, we’ve spent over 35 years working with dealerships across the Atlanta metro area and beyond, helping them navigate the intersection of technology, compliance, and daily operations. We understand the specific vendor landscape dealerships operate in — from DMS platforms to payment processors — because we’ve worked alongside these systems for decades.

If your dealership needs help building or improving your vendor risk management program, our IT consulting team can assess your current vendor relationships and help you develop a structured approach that satisfies the FTC and actually protects your business.

What Happens If a Dealership Ignores Vendor Risk Management?

The consequences of neglecting vendor oversight are real and growing:

  • FTC enforcement: The FTC has increased its focus on auto dealer compliance since the updated Safeguards Rule took effect. Enforcement actions can include consent orders, mandated security programs, and financial penalties.
  • State attorney general actions: Many states have their own data protection laws that create additional liability for vendor-related breaches.
  • Breach costs: IBM’s 2024 Cost of a Data Breach Report found the average breach cost reached $4.88 million globally. For dealerships handling financial data, costs can include regulatory fines, customer notification, credit monitoring, legal fees, and lost business.
  • Reputational damage: Customers trust dealerships with some of their most sensitive personal information. A breach — even one caused by a vendor — damages that trust and can drive customers to competitors.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to all auto dealerships?

Yes. The FTC Safeguards Rule applies to all “financial institutions” under the Gramm-Leach-Bliley Act, which includes auto dealerships that extend credit, arrange financing, or lease vehicles. This covers virtually every franchise and independent dealership in the United States.

What is a Qualified Individual under the Safeguards Rule?

The Qualified Individual is the person your dealership designates to oversee and implement your information security program. This person doesn’t need to be an employee — they can be an outside consultant or managed IT provider — but they must have the knowledge and authority to manage the program effectively, including vendor risk oversight.

Can a dealership be held liable for a data breach caused by a vendor?

Yes. Under the FTC Safeguards Rule, your dealership is responsible for ensuring vendors maintain adequate safeguards. If a vendor breach exposes your customer data and you failed to properly assess or contractually bind that vendor, the FTC can hold your dealership accountable.

How do small dealerships with limited budgets handle vendor risk management?

Start with the basics: inventory your vendors, classify them by risk level, and prioritize your assessment efforts on high-risk vendors like your DMS and payment processor. Use vendor-provided SOC 2 reports rather than conducting expensive custom audits. Consider partnering with a managed IT provider who can spread the cost of compliance expertise across multiple dealership clients.

What should a dealership do immediately after learning about a vendor data breach?

Activate your incident response plan. Contact the vendor to understand the scope of the breach and whether your customer data was affected. Consult legal counsel about notification obligations under federal and state law. Document everything. Notify your Qualified Individual and dealership leadership. If customer data was compromised, begin the notification process required by applicable breach notification laws.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550