When a customer sits down at a dealership to finance a vehicle, they hand over some of their most sensitive personal information: Social Security number, driver's license, income documentation, employment history, bank account details, and full credit history. Every deal folder in your F&I office is a goldmine for identity thieves.
The Federal Trade Commission recognized this risk and strengthened the Gramm-Leach-Bliley Act Safeguards Rule accordingly. As of June 2023, auto dealerships that offer financing — which includes virtually every franchised and independent dealer in the country — are required to implement specific technical controls to protect the customer financial information they collect. A VPN with encryption is one of the controls that directly satisfies several of these requirements.
Here is what dealership owners and general managers need to know.
Why Auto Dealerships Are High-Value Targets
Dealerships process more sensitive financial data per transaction than almost any other retail business. A single car deal can involve a credit application with a Social Security number, a credit report, bank statements, pay stubs, proof of insurance, and account numbers for down payment transfers. Multiply that by your monthly unit volume and you have a substantial database of customer financial records.
The FBI's Internet Crime Complaint Center has specifically flagged auto dealerships as targets for business email compromise, ransomware, and credential theft. Attackers impersonate manufacturers, lenders, and title companies with convincing phishing emails aimed at intercepting wire transfers and harvesting DMS login credentials.
A 2024 breach at CDK Global — the dealership management software used by thousands of dealers — shut down operations at approximately 15,000 dealerships for two weeks, resulting in estimated losses exceeding $1 billion. That attack was a reminder that dealership systems hold data that is both valuable and surprisingly accessible.
What the FTC Safeguards Rule Requires
The updated Safeguards Rule requires auto dealerships that are financial institutions under GLBA to implement a written information security program (WISP) with specific technical safeguards. The requirements most directly addressed by a VPN include:
- Encryption of customer information in transit and at rest — any customer financial data transmitted over a network must be encrypted
- Access controls — only authorized personnel with a legitimate business need should be able to access customer information
- Multi-factor authentication — required for anyone accessing customer financial data remotely
- Secure remote access — remote connections to your DMS and financial systems must be encrypted and authenticated
- Monitoring and testing — you must be able to detect and log access to customer information
A VPN with AES-256-GCM encryption directly addresses the transit encryption and secure remote access requirements. It ensures that any connection to your DMS from outside the dealership — your F&I manager reviewing deals from home, your controller pulling reports remotely, your IT vendor accessing your system — travels through an encrypted tunnel that cannot be intercepted.
CyberFence is built for compliance. AES-256-GCM encryption, zero-log policy, Kill Switch, and US-operated infrastructure — everything your dealership needs for FTC Safeguards Rule documentation. Starting at $7.99/mo.
See CyberFence Plans →The Specific Risks Dealerships Face
Unsecured Remote DMS Access
Dealer principals, controllers, and F&I managers frequently access Reynolds & Reynolds, CDK, DealerSocket, and similar DMS platforms from home or while traveling. Without a VPN, these remote connections transmit login credentials and customer data over unencrypted connections that can be monitored on any shared network.
Multi-Rooftop Operations
Dealer groups with multiple locations move customer data between rooftops — transfers, sold units, service records, lender submissions. Without encrypted connections between locations, this data crosses the public internet unprotected. A VPN creates encrypted site-to-site connections that keep inter-rooftop data transfers secure.
Third-Party Vendor Access
Your DMS vendor, your IT contractor, your F&I product provider — all of them may need periodic access to your systems. Under the FTC Safeguards Rule, you are responsible for ensuring that third-party service providers implement appropriate safeguards. Requiring vendors to connect only through an encrypted VPN channel is a practical way to meet this obligation.
Lender Portal Access on Public Networks
Sales managers and F&I managers sometimes access lender portals — RouteOne, Dealertrack, individual captive finance sites — from personal devices or public networks at off-site events. Without a VPN, these sessions expose lender credentials and customer deal information to interception.
Phishing Targeting Dealership Staff
The most common entry point for dealership breaches is phishing email. Attackers send convincing messages impersonating manufacturers (factory invoices, incentive updates), lenders (funding approvals, contract corrections), and title companies (title status updates). CyberFence's Web Shield DNS filtering blocks connections to known phishing domains before any page loads — stopping these attacks before staff can click a malicious link.
How a VPN Fits Into Your Safeguards Rule Compliance Program
The FTC Safeguards Rule requires a written information security program with a qualified individual overseeing it. Your VPN becomes a documented technical control within that program. Here is how it maps to specific requirements:
- Encryption requirement → VPN provides AES-256-GCM encryption for all data in transit between remote devices and your DMS
- Access control requirement → VPN restricts DMS access to authenticated devices only; an attacker with a stolen credential cannot access your DMS without also having the VPN access
- Remote access security requirement → VPN documents that all remote sessions are encrypted and authenticated
- Service provider oversight requirement → requiring vendors to use VPN access provides a documented control for third-party access
When your designated qualified individual (required under the Safeguards Rule) prepares your annual risk assessment, "AES-256-GCM encrypted VPN deployed on all remote access devices" is a specific, documentable technical control that addresses the transmission encryption requirement directly.
Implementation for a Typical Dealership
Getting a VPN running at a dealership is straightforward. For a typical single-rooftop operation:
- Install CyberFence on every device that accesses your DMS or lender portals remotely — the GM's laptop, the controller's home computer, F&I managers' personal devices if they do home deals, any IT contractor devices
- Enable the Kill Switch on every device — this prevents DMS access if the VPN connection drops unexpectedly
- Turn on Web Shield — DNS-level phishing and malware blocking protects your staff from the most common attack vector targeting dealerships
- Brief your team — anyone accessing dealership systems remotely must connect the VPN before logging into any system. Five minutes of training covers the entire policy
- Document the control — add "AES-256-GCM VPN required for all remote DMS access" to your Safeguards Rule WISP. This is a concrete, verifiable technical safeguard
For multi-rooftop dealer groups, your IT provider may configure a site-to-site VPN between rooftops in addition to client VPNs for individual remote users. Both scenarios are straightforward to implement.
What Happens Without Adequate Protection
FTC Safeguards Rule violations carry penalties up to $51,744 per violation per day. A single breach that exposes customer financial records while the dealership lacked documented technical controls is the kind of event that triggers FTC enforcement actions.
Beyond regulatory exposure, the reputational damage from a dealership data breach is substantial. Customers who financed a vehicle through your dealership trusted you with their credit history and Social Security number. A breach notification letter from their dealer is not something most customers will forget — and in a business where repeat customers and referrals drive a significant portion of sales volume, that trust matters.
Protect your dealership and your customers. CyberFence gives your entire team AES-256-GCM encrypted remote access, Web Shield phishing protection, and a Kill Switch — all documented controls for your Safeguards Rule WISP. Starting at $7.99/mo.
Start Protecting Your Dealership →The Bottom Line
Auto dealerships that offer financing are financial institutions under GLBA and are required to implement technical safeguards for customer financial information under the FTC Safeguards Rule. A VPN with AES-256-GCM encryption, a Kill Switch, and DNS-level threat blocking is a practical, affordable way to satisfy the transit encryption, remote access security, and access control requirements — and to document those controls in your written information security program.
The cost of compliance is a fraction of the cost of a breach. The tools are available and straightforward to deploy. There is no good reason to wait.