Certain businesses ― including auto dealerships ― are subject to the Safeguards Rule, which was designed by the Federal Trade Commission (FTC) to protect customer information from being shared inappropriately as required by the Gramm-Leach-Bliley Act.
Warning
The FTC has issued a warning to auto dealers stating that the agency does not conduct onsite investigations for privacy violations.
This is in response to situations where frauds posed as FTC agents, presumably to gain access to customer information.
Practically speaking, however, many businesses are not in full compliance with the law. And some auto dealerships are among the worst offenders. If your dealership is found by the FTC to be careless with sensitive customer information, the fines can be hefty, up to $11,000 per day until a dealership comes into compliance.
Specifically, the Safeguards Rule requires dealers “to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
“Customer Information” Defined
According to the FTC, customer information includes personally identifiable data collected by dealers in connection with finance, lease, or insurance contracts, unless the information is publicly available.
The FTC is clear about the requirements for compliance. Your business must:
- Appoint an employee to coordinate your dealership’s security plan. Successful implementation must include giving the coordinator the time, resources, and authority needed to ensure compliance.
- Identify foreseeable risks that could lead to a breach of customer security, and assess the existing safeguards to determine if they are sufficient to control the risks. Although there is no requirement to put the risk assessment in writing, it’s a good idea to do so in case the FTC asks you to show evidence of compliance.
- Develop safeguards to mitigate the identified risks and regularly monitor their effectiveness. See the “Four Step Self-Audit” below.
- Ensure that the service providers your dealership deals with also take reasonable measures to maintain customer security and oversee the effectiveness of those measures. For your protection, consider making this part of your contracts with service providers.
- Adjust programs if necessary, based on the results of monitoring the effectiveness of your program, or when changes in your business make adjustments necessary to maintain a high level of security.
Four-Step Self Audit
With a large staff busy with customers all day long, it can be hard to know if all your employees are taking sufficient precautions to protect confidential information. Still, it must be done. It should take only a few minutes to conduct a self-audit to look for telltale signs of lax practices. Here are four key steps to help your dealership stay in compliance:
- Get into the dealership showroom first thing in the morning before anyone else has arrived. With a quick tour of the showroom, inspect the sales desks and common work areas, including trashcans, printers, fax areas and copiers. Look for stray documents that contain customer information that should not be left out in the open.
- Do a similar walk-through of the finance office. As with your salespeople, be on the lookout for items that reveal customer information other than just their names. It is surprising how often a simple check can uncover violations.
- Inspect the dealership’s computer terminals at an appropriate time. (Again, before or after hours is often ideal.) Ensure that employees have properly logged out for the day and that passwords remain protected so that customer information is not accessible. Warn employees when violations are detected.
- Determine if you can obtain access to accounting and bookkeeping files before or after normal hours. This isn’t necessarily limited to access on computers. Check desks and filing cabinets to make sure they are locked and secure.
Don’t just conduct a self-audit once and then forget about it. Run through these four steps periodically to ensure that your business is continuing to comply with the law. Important: Address any violations you uncover immediately.
Auto dealers also have additional requirements to comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. Click here for some answers from the FTC to questions that auto dealers frequently ask.
Councilor, Buchanan & Mitchell (CBM) is a professional services firm delivering tax, accounting and business advisory expertise throughout the Mid-Atlantic region from offices in Bethesda, MD and Washington, DC.
© 2018
