In the course of day-to-day business, dealerships collect personal information from consumers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.
The Federal Safeguards Rule, which was enacted in 2003 and enforced by the Federal Trade Commission, requires dealerships to have a security plan to protect the confidentiality and integrity of personal consumer information.
Since most dealerships are far more technologically advanced than they were when the Safeguards Rule first came into play, protecting consumer information has become quite a bit more challenging. It’s no longer just a matter of making sure that credit apps aren’t laying on top of desks in the showroom or that deal jackets are stored in locking cabinets.
The potential consequences for non-compliance with the Safeguards Rule are substantial. Besides private lawsuits and reputation damage, civil penalties of up to $10,000 per violation can be assessed, along with criminal penalties which could include imprisonment and fines.
In case you haven’t noticed, it’s become painfully apparent that the FTC has placed car dealers on its enforcement radar screen recently. So, if you haven’t done so in a while, now may be a good time to dust off your Information Safeguards Policy and update it as needed. Following are some recommended guidelines and best practices for a modern Safeguards Program:
- Access to customer information should be limited to employees who have a business reason to see it; to the extent they need it to do their jobs.
- Dealership employees should not be permitted to use or reproduce customer information for their own use or for any use not authorized by the Dealership.
- Any customer information that is allowed to leave the dealership, either in paper form or on employees’ electronic devices, can greatly increase a company’s exposure. Customer information should always remain in management control. Allowing staff members to retain “working” customer files for follow-up purposes is risky at best. In addition, consider limiting CRM access to dealership computers only for all but the most trusted top-level personnel. If you allow certain employees to use personal computers to store or access customer data, they should be required to use protections against viruses, spyware, and other unauthorized intrusions.
- The dealership should utilize anti-virus software and maintain computer firewalls.
- The ability to download customer information from dealership computers to portable media such as USB drives, external hard drives, or other remote devices should be disabled.
- Inbound or outbound credit card information, credit applications, or other sensitive financial data transmitted to the dealership directly from consumers should only be sent through an encrypted or secure connection. Consumers should be advised against transmitting sensitive data by email or fax. If sensitive data must be transmitted to the dealership by email, such transmissions should be password controlled or otherwise protected from theft or unauthorized access.
- Customer financial information should not be stored on any computer system with a direct Internet connection.
- Paper-based customer information should not be left exposed and unattended in an unsecured area, and should be stored in a room or file cabinets that are locked or otherwise not available to the general public. Be aware that consumer information in plain sight can be taken or even photographed with a cell phone.
- All customer information should be disposed of in a secure manner. Paper-based customer information should be shredded prior to disposal and electronic information should be effectively deleted prior to hardware disposal. This includes the hard drives of digital copiers, fax machines and PCs.
- Electronic customer information should be stored on secure servers and access to the information should be password controlled.
- Computer monitors in non-secure areas should be locked when not in use. Password-activated screen savers should be used to lock employee computers after a period of inactivity.
- “Strong” passwords should be required and changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.) Passwords should not be shared or openly posted in work areas.
- Policies should be in place for appropriate use and protection of laptops, PDAs, cell phones, and other mobile devices.
- Terminated employees should be prevented from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.
- Procedures should be established to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure. The dealership should notify customers promptly if their customer information is subject to loss, damage or unauthorized access. The FTC requires this and time will be critical in the aftermath of a breach to identify the problem, fix it, and take appropriate response measures.
- Employee training is a key component of an effective Safeguards program. Staff members should be trained to take basic steps to maintain the security, confidentiality, and integrity of customer information. For instance, internet sites that your employees visit may contain malware. Make sure that employees understand not to click on links in emails from unknown persons. New employees should be trained immediately and all employees should be retrained regularly.
These steps require some diligence but are well worth the effort compared to possibly dealing with lawsuits, regulatory actions, or hits to your valuable reputation. Do yourself and your customers a favor by following best practices for protecting personal information.
Written by Jim Radogna