Requesting that the 1-hour inactivity timeout be made admin-configurable at the rooftop or group level, within bounds DriveCentric defines (e.g., 30 min to 8 hr), defaulted to 1 hour so current behavior is preserved.

I've seen the standard response on prior cases citing "compliance rules." Respectfully, the FTC Safeguards Rule (16 CFR Part 314), which governs franchised auto dealers under GLBA, does not prescribe a session timeout value. It is explicitly risk-based: 314.3(a) requires controls "appropriate to" the dealership's size, complexity, and the sensitivity of information, and 314.4(c)(1) tasks the dealership's Qualified Individual with implementing and reviewing its own access controls. The June 2025 FTC FAQs for auto dealers reinforce this. Even HIPAA, which is more prescriptive, treats automatic logoff as an addressable specification (45 CFR 164.312(a)(2)(iii)) that the covered entity configures.

For comparison, other major dealership CRM/DMS platforms expose inactivity timeout as an admin-configurable setting and remain in compliance. A fixed, non-configurable value effectively shifts DriveCentric's compliance decision onto every customer with no ability to align it to our written risk assessment, MFA, RBAC, or physical controls — which is the opposite of what 314.4 contemplates.

The push-notification workaround addresses one symptom for service advisors but does not address sales, BDC, F&I, or management on desktop, or the underlying timeout.

If DriveCentric is relying on a specific regulation or examiner finding for the fixed 1-hour value, please cite it. If the constraint is internal (architecture, SOC 2, insurance), please state that directly so the conversation can proceed on accurate grounds.

Thank you,

Mark DeGroot — IT, Courtesy CDJR, Grand Rapids, MI