The Federal Trade Commission (FTC) released new frequently asked questions (FAQs) aimed at helping auto dealerships comply with its financial data protection regulations, emphasizing that the duty to protect consumers' nonpublic personal information continues even after the business relationship ends.

These new FAQs clarify how the agency's Safeguards Rule—part of the Gramm-Leach-Bliley Act (GLBA) enacted in 2003—applies to vehicle dealers that offer financing or leasing options, including the types of information about the customer that are covered by the rule, the necessary components of the required written information security programs, and the requirement to report certain data breaches within 30 days of discovery which remain in place even after the dealership no longer has a business relationship with the customer who furnished nonpublic information in order to obtain a loan or financing. 

"In other words, you must continue to protect customer information that you obtained from a customer, even if they are no longer a customer, for as long as you have that customer information in your possession," FTC staff advised. "You can securely dispose of the customer information at any point, however, and should do so once you no longer have a business need to keep it." (See question 10 of the new FAQs.) 

To review the FTC's FAQs, please click here.