Safeguards Rule At Your Dealership
Expensive mistake . . . Failure to abide by government data safeguard rules could result in fines topping $11,000 per day per unprotected sheet of paper
If you looked at the title and thought, “This does not apply to us. We’re RV dealers, not a financial institution,” remember a financial institution is defined as a business that:
1) Regularly writes installment contracts.
2) Writes installment contracts exceeding four months.
3) Utilizes contracts including interest charges.
4) Utilizes contracts for personal use property that is sold and held as collateral.
If these conditions apply to you, congratulations, your business is considered a financial institution as well as an RV retailer. Safeguards must rule at your dealership.
Much like the privacy policy you must employ and share with your customers that stipulates with whom you will share their information, the Safeguards Rule requires that you take steps to protect customers’ non-published information from the risk of identity theft.
Follow the guidelines
The Safeguards Rule focuses on the dealership’s policy and procedures in processing, storing and protecting non-published consumer information. While the regulation does not specify precisely what a company should do, it does delineate these five guidelines:
1) Identify reasonably foreseeable internal and external security risks. Conduct a risk assessment meeting, take notes and describe the current process of gathering customer information. Survey each department to identify everywhere customer or consumer information is exposed to public view.
2) Develop and implement policies and procedures that will safeguard your customers’ and employees’ non-published information against those risks you identified. Document the process for securing non-published data. If you do not know what information is not published, then treat all personal information as non-published.
3) Appoint a compliance officer to coordinate your information security program.
4) Oversee service providers to ensure they are safeguarding customer information.
5) Conduct self-audits to test your policies and procedures, then document the results.
Use crosscut shredders and fire to destroy documents. The landfill method is no longer adequate.
Assess your risk
Tour your facility from an information-at-risk perspective. Where is customer information gathered? What documents do you use to record the data? What path does the information take? Are your traffic logs in public view? What information is written on the logs? Could someone’s identity be stolen from that data?
Where are worksheets kept in the sales department? What information do salespeople have and how do they use it to follow up on sales opportunities? Where do they place data when they are out on the lot with a client or when they leave the property at the end of a shift? Can they lock desk drawers, file cabinets and offices?
Are computers password protected? One dealership I was in did have all the computers password protected; however, the password list was posted on the side of the terminal in the F&I department. To add to the danger, the F&I office did not have a locking door; in fact, there was no door! Do not post computer passwords anywhere in the dealership and remember to change the passwords periodically.
Make certain your computers have adequate firewalls. Maintain logs identifying who has access to the mainframe, modems and dealership management systems. Monitor employee access to the Internet. When someone downloads a game, spyware can come with it. Spyware installs with the game, runs automatically and can send personal, customer, or employee information from your system undetected to an unauthorized person. Instruct your IT department to run a program that will identify spyware on a regular basis. You need to know what programs are installed and running on your dealership computers at all times.
Where are the archived files and dead files kept? Are they under lock and key? Who has access to them? What happens to documents when it is time to destroy the records? Use crosscut shredders and fire to destroy documents. The landfill method is no longer adequate.
Who does the housekeeping? When are they in the store? What do they have access to? Are your customer records under lock and key when the cleaning crew is on duty? (Many dealerships install numeric locks to save wear and tear on pockets overloaded with keys.)
FTC audits are serious
Document the process you use to safeguard information and to train each person who handles it. Training should occur at new hire orientation, with personnel promotions or interdepartmental transfers, or with a change in the physical layout of the dealership. Record training and counseling procedures in each employee’s file.
As part of the federal judicial system, the Federal Trade Commission (FTC) governs the Safeguards Rule. The FTC is interested in your policies, procedures and documentation. Exposing customer non-published information to the general public is subject to cease and desist orders, a fine of $11,000 for every piece of paper in violation — and jail time. FTC audits are serious business.
Appoint a compliance officer
This is the “go-to” person when a sensitive document is found lying around or when a breach of security occurs. A compliance officer should be “on deck” during the dealership’s hours of operation. The compliance officer should have the full support and authorization of senior management required to counsel an employee and document an incident in an employee’s personnel file and in compliance files. Employees who refuse to comply with company policies to safeguard customer information may need to be terminated.
Since no one can work all the hours the store is open, you may need to designate two compliance officers, one reporting to the other. The general manager or owner functions as the head compliance officer, depending on dealership structure.
Oversee service providers
Seek to do business with companies who will establish and maintain reasonable practices to protect your customers’ information. Obtain written agreements to confirm your service providers also have policies that include physical and electronic measures to safeguard the confidentiality and integrity of your customers’ information.
Document self-audits
Test your policies and procedures, and document infractions. Change what needs to be changed. Recognize good efforts, and counsel those who need to tune in to safeguarding data. The goal is to protect customer information, not restrict sales, hinder follow-up or prevent world-class customer service.
The Safeguards Rule, in effect since May 23, 2003, is good business practice and makes good sense. If you have not taken action to safeguard customer information, get started. Contact the RV Dealers Association to obtain a Safeguards Rule compliance kit developed by the Association of Finance and Insurance Professionals. Protecting customer data is responsible RV retailing.
RV Trade Digest, November 2005, p. 15