The Safeguards Rule of the 1999 Gramm-Leach-Bliley Act, which requires all financial institutions to design, implement and maintain safeguards to protect customer information, took effect on May 23, 2003. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to untraditional “financial institutions,” such as auto dealerships, that receive customer information from financial institutions.
As a result, dealerships need to establish appropriate security standards to protect customer data from internal and external threats and unauthorized access occurring through online systems and networks. This level of security is mandatory to ensure that companies maintain data integrity and privacy standards for employees and customers that have provided personal information.
Because dealerships rely on multiple forums and avenues to obtain, process, transmit, and subsequently store customer information, the initial evaluation and implementation of an Information Safeguard Program should be conducted by an independent, industry expert that can objectively evaluate dealership operations.
Unlike the phase-one Privacy Rule provision of the Gramm-Leach-Bliley Act, where dealerships simply notified customers on a standard form how their non-public information was used, phase two requires dealers to document and implement the process by which these safeguard provisions are carried out.
Penalties for non-compliance of this phase of the act are $11,000 a day, with fines that are retroactive to May 23, 2003. If, for example, a dealership were receiving credit applications on an unsecured website, that dealership would not be in compliance with the Safeguards Rule. As a result, a dealership that is not in compliance between June 2003 and January 2004 could face close to $2.5 million in fines, not including potential customer litigation.
There are currently a number of standard, one-size-fits-all compliance programs being marketed to dealers. The danger with these programs is that many of them contain provisions or statements that not every dealership is prepared to live up to. Others simply fall short in addressing areas of legitimate concern, for which a dealer is liable.
These areas may include vendor relationships, whereby non-employees have access to customer vehicles and information, such as a sub-contracted dent technician or cleaning service. Relationships with these types of vendors may be similar to those of regular employees and must be treated accordingly.
Also, do not be misled into thinking that the safeguarding of customer information is limited to educating sales, finance and insurance personnel. Safeguards and the proper training of personnel need to be implemented dealership-wide.
For example, a compliance audit might identify unsecured customer financial information in areas such as parts or service, in the form of mishandled or misplaced rental agreements and order forms that contain customer driver’s license and/or credit card information. Consider, too, that lot porters and car washers come across sensitive customer information on a daily basis. You need only look in the trash bins where trade-ins are reconditioned to find items left in glove boxes and trunks.
The foundation for a proper information security program should be based on employee training, followed by a working environment that’s conducive to the safeguarding of information. Very few dealerships currently offer their personnel either adequate information storage or disposal options, which inevitably lead to a faulty information security process. All areas of the dealership should have secured document receptacles where information can later be collected and destroyed.
Finally, once a secure operating environment is established, it’s a matter of consistently and diligently evaluating operations to ensure continued compliance. This will entail monitoring employees, processes, and those with whom dealerships do business.
Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for dealerships. It’s now a legal requirement. Dealers should seek independent, professional advice in establishing a proper security program that will cover all risk points.
(Morrison, Brown, Argiz & Farra LLP is a Florida-based accounting and management consulting firm and home to one of the country’s largest auto dealership practices. If you have any questions about issues raised in this column, or about the general operation of your dealership, call Tony Argiz, Manny Rodriguez, or Phil Villegas at (305) 373-5500 or 1-800-239-1474 or e-mail them at email@example.com, firstname.lastname@example.org and email@example.com.)
Printed with the permission of Professional Auto News