Safeguard Customer Info
With terrorism and identity theft on many Americans' minds, consumer information concerns have become a hot issue with the federal government. Businesses (including car dealerships) that handle sensitive customer data must comply with provisions of the Gramm-Leach-Bliley Act and the resulting Federal Trade Commission's (FTC) privacy and safeguards rules. The privacy rule addresses how you share information
September 1, 2003
With terrorism and identity theft on many Americans' minds, consumer information concerns have become a hot issue with the federal government.
Businesses (including car dealerships) that handle sensitive customer data must comply with provisions of the Gramm-Leach-Bliley Act and the resulting Federal Trade Commission's (FTC) privacy and safeguards rules.
The privacy rule addresses how you share information about consumers who obtain or apply for credit or lease products from your dealership. The safeguards rule deals with how you and your staff protect information about your finance and lease customers.
The privacy rule requires dealerships to provide customers with a copy of its privacy policy and how the dealership intends to use the customer's non-public personal information. It's been in effect since July 1, 2001.
The safeguards rule requires dealerships to protect the information.
It applies, however, only to those transactions involving persons who obtain a financial product or service from your dealership primarily for personal, family, or household purposes. It does not safeguard information about companies or about individuals obtaining financial products or services for business purposes.
The safeguard rule requires an Information Security Program (ISP) that outlines your dealership's policies and procedures on safeguards in place to protect customer information. There are five required elements of this rule. You must:
Designate at least one employee to coordinate your ISP
Identify reasonable foreseeable internal and external risks
Design and implement customer information safeguards
Oversee service providers
Monitor compliance with your ISP throughout each year
Although the FTC does allow some flexibility depending on the size of the dealership and the sophistication of your computer systems and information management tools, compliance will be difficult, ongoing and may be expensive. You may need outside help.
The following are recommended monitoring and testing procedures:
Daily
Look for open/unlocked doors to customer information sensitive areas
Look for unprotected car deals and other customer information
Look for computers not signed-off or not protected by password
Weekly
Review attempts to access dealership network through your firewall and document findings
Review attempts to access dealership DMS through your firewall and document findings
Spot check sales, F & I, and accounting areas for unprotected customer info
Monthly
Do ongoing tests of ISP for compliance
Verify change of passwords at network and Dealership Management System (DMS) levels
Update outstanding list of service provider contract addendums
Quarterly
Review new hire and personnel files for required information including a criminal background check and verify the clearing of the Treasury Department's Office of Foreign Assets Control database of each applicant
Review personnel training records and access needs for additional training
Review and test customer information release request forms
Annually
Perform annual audit including risk assessment of existing ISP and make appropriate changes as necessary
Perform emergency DMS backup procedures
Perform tests of physical and electronic storage for adequacy of protection
Dealerships were required to implement their Information Security Programs by May 23. Penalties for not complying include fines of up to $11,000 per violation, long-term consent decrees and possible revocation of your dealer license.
If you have not already implemented your ISP, do so without delay.
Don Ray is a senior member of the George B. Jones Dealer Services division of Dixon Odom, a national accounting and consulting group for dealers. He's at 901-684-5643 and [email protected].
About the Author
You May Also Like