With terrorism and identity theft on many Americans' minds, consumer information concerns have become a hot issue with the federal government.
Businesses (including car dealerships) that handle sensitive customer data must comply with provisions of the Gramm-Leach-Bliley Act and the resulting Federal Trade Commission's (FTC) privacy and safeguards rules.
The privacy rule addresses how you share information about consumers who obtain or apply for credit or lease products from your dealership. The safeguards rule deals with how you and your staff protect information about your finance and lease customers.
The privacy rule requires dealerships to provide customers with a copy of its privacy policy and how the dealership intends to use the customer's non-public personal information. It's been in effect since July 1, 2001.
The safeguards rule requires dealerships to protect the information.
It applies, however, only to those transactions involving persons who obtain a financial product or service from your dealership primarily for personal, family, or household purposes. It does not safeguard information about companies or about individuals obtaining financial products or services for business purposes.
The safeguard rule requires an Information Security Program (ISP) that outlines your dealership's policies and procedures on safeguards in place to protect customer information. There are five required elements of this rule. You must:
- Designate at least one employee to coordinate your ISP
- Identify reasonable foreseeable internal and external risks
- Design and implement customer information safeguards
- Oversee service providers
- Monitor compliance with your ISP throughout each year
Although the FTC does allow some flexibility depending on the size of the dealership and the sophistication of your computer systems and information management tools, compliance will be difficult, ongoing and may be expensive. You may need outside help.
The following are recommended monitoring and testing procedures:
Daily
- Look for open/unlocked doors to customer information sensitive areas
- Look for unprotected car deals and other customer information
- Look for computers not signed-off or not protected by password
Weekly
- Review attempts to access dealership network through your firewall and document findings
- Review attempts to access dealership DMS through your firewall and document findings
- Spot check sales, F & I, and accounting areas for unprotected customer info
Monthly
- Do ongoing tests of ISP for compliance
- Verify change of passwords at network and Dealership Management System (DMS) levels
- Update outstanding list of service provider contract addendums
Quarterly
- Review new hire and personnel files for required information including a criminal background check and verify the clearing of the Treasury Department's Office of Foreign Assets Control database of each applicant
- Review personnel training records and access needs for additional training
- Review and test customer information release request forms
Annually
- Perform annual audit including risk assessment of existing ISP and make appropriate changes as necessary
- Perform emergency DMS backup procedures
- Perform tests of physical and electronic storage for adequacy of protection
Dealerships were required to implement their Information Security Programs by May 23. Penalties for not complying include fines of up to $11,000 per violation, long-term consent decrees and possible revocation of your dealer license.
If you have not already implemented your ISP, do so without delay.
Don Ray is a senior member of the George B. Jones Dealer Services division of Dixon Odom, a national accounting and consulting group for dealers. He's at 901-684-5643 and [email protected].
