Login
Login
MidAtlantic IADA- (717) 238-9002
- Mon-Fri 8:30am-4:30pm
04
February
2026
Get Your Safeguards House in Order
Dealerships are facing more pressure than ever to prove they take cybersecurity seriously. See why ignoring safeguards could lead to big trouble—and what you can do about it.
The recent 700 Credit Data breach should serve as a reminder that it’s crucial for all car dealers to make sure that their information security plan is robust, in writing and that implementation is demonstrable. The Pennsylvania Department of Banking makes it a point to ask about safeguards preparedness during its examinations. I encourage all dealerships to make it a point to be prepared to answer this question and be able to show the steps being taken to protect consumer information.
Increased Scrutiny is Coming
It’s obvious to me that this event will lead to increased regulatory scrutiny. I anticipate that the FTC will look into the practices of dealers and service providers alike to determine what is being done when it comes to Safeguards and vendor management. The FTC published guidance for car dealers in June of 2025 and I expect them to be curious and learn more about whether dealerships got the message.
At the state level, as mentioned, this is already part of the Department of Banking examinations, and I expect that scrutiny will only increase after this event. In the past year, I’ve already seen some state examiners ask for information security policies and incident response plans and I anticipate that this will become more common and the level of questioning will only increase. In the event of a security breach incident, you can expect to be put under the microscope and unawareness will not be a defense. This is certainly an issue that the Attorney General could also weigh in on.
Capital providers are already taking their own due diligence on this topic up a notch. I’ve had a handful of dealers reach out about information security plans and incident response plans. Now would be a good time for dealers to prepare themselves for this scrutiny and when necessary, educate their providers on the efforts that are being made.
Of course, plaintiff lawyers won’t ever pass up an opportunity to capitalize on a crisis. The facts hadn’t even been fully publicized before there was at least one class action lawsuit filed against 700 Credit, and you’d better believe lawyers big and small will be looking to get in on the action. The plaintiff bar in Pennsylvania is on the lookout and I anticipate that we’ll see a wave of data protection related inquiries over the next few months. For a good example of claims that can be brought against a dealership in a data breach lawsuit, do a Google search of the case of Morelli v. Jim Koons Management Company, which is a case out of Maryland from a few years ago.
Get Your Safeguards House in Order
Over the past year or two, I haven’t been shy about saying that I think a lot of dealers are whistling through the graveyard when it comes to cybersecurity and their obligations under the Safeguards Rule. My recent conversations with dealers in the past week have only reinforced this belief. While I did find some dealers that are doing a strong job in this area, I also spoke to several dealers that I felt were trying to bluff their way through the conversation without having a strong commitment to their safeguards obligations, while others outright admitted that they hadn’t been proactive in getting their house in order.
This event should be a wake up call for everyone. The bad actors aren’t going to stop. They will continue to attack businesses of all sizes and there will be other security breaches. In fact, the next security event has probably happened already, it just hasn’t been discovered yet. Even the best of companies with robust security infrastructure can be exploited. It only takes one open portal or one employee clicking on a phishing email.
Now is the time for everyone to take a deep dive into their information security practices. Do you know what your obligations are under the Safeguards rule? Are you committing the resources needed for success? Do you have a qualified individual? Are you training your employees? Make sure you have conducted a written risk assessment. Have you looked into cyber security insurance, which can be a “bet the business” decision if a breach event occurs.
Work with experts to carefully construct an information security policy suitable for your business and an incident response plan that can serve as a guide for your team if trouble strikes. These need to be updated regularly so that you can demonstrate your commitment and tell your story. The cold hard fact is that everyone that holds or manages consumer data is a target.
Steve Levine is an auto finance lawyer with over 30 years of experience protecting car dealers and finance companies. He is the Owner of Ignite Consulting Partners, which offers guidance on compliance, operations and best practices. He can be reached at info@ IgniteCP.com. His second book, Counterpunch: Compliance Strategies for Car Dealers, was published in early 2025 and is available on Amazon. Please follow Steve on X @LawyerLevine for compliance and industry related content.
As seen in our Magazine
Steve Levine
Steve Levine is an auto finance lawyer with over 30 years of experience protecting car dealers and finance companies. He is an owner and Chief Legal and Compliance Officer of Ignite Consulting Partners, which offers guidance on compliance, operations and best practices. He has also published two books, Winning the Fight: A Guide to Protect Car Dealers and Counterpunch: Compliance Strategies for Car Dealers which are both available on Amazon. Or contact info@IgniteCP.com to learn more. Please follow Steve on X @LawyerLevine for compliance and industry related content.
