The auto dealership industry and GLBA PenTesting

As an auto dealer, you cannot ignore the relevance and applicability of GLBA to your operations. The Gramm-Leach-Bliley act, which came into effect more than two decades ago, remains a significant law for organizations across diverse industries. This regulation, even termed the Financial Service Modernization Act, 1999, also has automotive dealership businesses in its ambit. Since the digitalization and virtualization of business information continue to occur at an unprecedented pace in every type of business entity, the necessity of stringent data protection compliances like GLBA pentesting is irrefutable.

Understanding the applicability of GLBA regulations on auto dealerships

GLBA mandates various cybersecurity measures to protect sensitive customer data, specifically, public financial information for different types of companies, including auto dealerships. Auto dealers offering credit facilities and financing arrangements to customers must abide by GLBA requirements. The law comprises three key rules, including safeguards and privacy rules.

The privacy of consumer financial information rule guides how business entities must share the data they acquire from consumers to offer any form of financial services or products. As per the requisites of the privacy rule, auto dealerships must give a privacy notice to their customers that clearly and conspicuously describe their entity’s privacy policy and measures. As per regulatory guidelines, the privacy notice should cover the following details:

  • Categories of information collected
  • Categories of client information disclosed 
  • Types of both affiliated and non-affiliated third parties with whom the dealer shares the information
  • Disclosures as per the requirements of the Fair Credit Reporting Act
  • The auto dealership’s data security measures and practices for securing the confidentiality of customers’ nonpublic personal information.


As per GLBA regulations, auto dealers should issue this privacy notice to any entity that discloses sensitive information regarding any transaction with them, and they plan on sharing the information with any non-affiliated outside party.

Another critical rule termed the safeguards rule aims to shield consumer information and requires auto dealership entities to prepare and maintain a detailed information security program. It initially came to light in 2003 and outlines security measures to safeguard customer information.

As highlighted in earlier articles, recently, in December 2021, the FTC brought forth some critical GLBA amendments. These changes were initiated to resolve the incidence of recurring high-profile data breaches. The updated safeguards rule came up with further compliances for business entities, including dealerships. A portion of GLBA amendments is already effective since January 10, 2022. However, liable businesses have to comply with the residual changes by December 9, 2022. It is high time that auto dealers brace themselves for the compliance requisites of the remaining amendments that will come to effect soon. Let us understand some of the critical compliances that auto dealers have to keep in mind in line with the revisions to GLBA regulation.

Critical compliances resulting from the amended GLBA rules that auto dealers should know!

As a result of the introduced changes in GLBA, auto dealers need to gear up for the following requirements:

  • Dealership ventures must appoint a qualified individual to oversee, develop, monitor, as well as execute an information security program. This individual can enforce the program through an internal security team or third-party service provider.
  • A periodic risk assessment should be undertaken to update and implement the information security program.
  • The auto dealers have to effectuate client data safeguards such as encryption and access controls to mitigate the identified risks during risk assessments.
  • The revised rule also asks for vulnerability testing either through continuous monitoring or a combination of yearly penetration tests and half-yearly vulnerability assessments.
  • Auto dealerships need to have policies and procedures like security awareness training and updating company personnel about newly discovered risks to sustain appropriate enactment of information security programs by their employees.
  • The revised GLBA rule also asks auto dealership ventures to ascertain that third-party service providers having access to their client information implement data security measures commensurate with their own data security programs. They must regularly analyze the level of access to such client information and the sufficiency of the data protection safeguards.
  • Auto dealer companies should draft an incident response plan to help manage any client information exposure or any breach of their information system. This response plan must emphasize roles and responsibilities while dealing with the event, internal and external communication guidelines, and the process the dealer must adopt to correct the problems resulting from the incident.
  • Lastly, auto dealer entities also need to report to their governing body or the board of directors details regarding the prevailing state of the information system program, compliance management with GLBA requirements, and occurrence of any material event regarding cybersecurity at least once every year.

Why is it necessary to sustain compliance with GLBA security requirements?

Organizations functioning in the auto dealership industry cannot afford to overlook GLBA compliance requirements. Violations of the needs of the safeguards rule and the privacy rule can result in hefty penalties that can get as high as $46,517 for each violation. Non-compliance by auto dealers can also lead to consent decrees with the FTC and increased enforcement. The Consent decrees represent a strictly regulated and managed settlement where the FTC periodically examines the dealership business’s compliance.

Finally, the incidents of failure to comply with GLBA requirements can even result in imprisonment of the responsible management members of the company according to Title 8 of the U.S Code.

As per the National Automobile Dealership Association (NADA), the compliance cost of catering to GLBA requirements can surpass an average of $276,900 per annum.
Thus, auto dealerships need quality-driven and cost-effective assistance for essentials such as GLBA pentesting and vulnerability assessment.

How can NaviSec support auto dealers with GLBA penetration testing and allied cybersecurity compliances?

GLBA amendments stress the need for continuous monitoring or regularly conducting penetration testing and vulnerability assessments. Auto dealers must abide by this critical regulatory requirement and undertake vulnerability assessment and GLBA pentest at least once every 6 months and 1 year, respectively. NaviSec offers premier quality and pocket-friendly penetration testing and vulnerability assessment services for auto dealers. Our tailored service packages make GLBA compliance feasible for auto dealers of all sizes and scales. 
NaviSec offers different variants of penetration testing such as white box and black box pentests to meet customers’ specifications. We have experience in working with organizations across different industries, including auto dealerships. Our expertise is not limited to penetration testing, and we also deliver end-to-end support for vulnerability assessments and incident response.

Drive your auto dealership business in the right direction of complete compliance with NaviSec’s GLBA PenTesting services!

NaviSec is an avant-garde name in the cybersecurity domain that offers a complete range of services for regulatory compliance. Our GLBA penetration testing services for auto dealers can help them mitigate the needs of the revised regulations and secure their critical data. We have a team of techno-savvy and sagacious professionals who use the best quality software to carry out your pentests and other security assessments. Consult our team for more details!

Urgent Contact