Is Your Information Safeguards Plan Keeping Up With Technology?
April 03, 2015 by Jim Radogna
Posted in: Sales & Finance Compliance
Tags: Customer Information Protection Rule, Safeguards Rule, Update your F&I procedures
Every day dealerships collect personal information from consumers, including names, addresses, credit history, phone numbers, bank numbers, and Social Security information. The federal Safeguards Rule, enacted in 2003 and enforced by the Federal Trade Commission, requires dealerships to have a security plan in place that will sufficiently protect client’s confidential information.
However, dealerships are far more advanced in regards to technology than they were when the Safeguards Rule was initiated. Protecting consumer information has become a larger issue, and is now quite a bit more challenging. It’s no longer merely a matter of making sure that credit apps aren’t laying on top of desks in the showroom or that deal jackets are stored in locking cabinets.
Non-compliance with the Safeguards Rule are very significant. Besides private lawsuits and reputation being damage, civil penalties up to $10,000 per violation are also assessed, along with criminal penalties including imprisonment and fines.
Recently, it’s become painfully apparent that the FTC has placed car dealers on its enforcement radar screen. If you haven’t done so in a while, now may be a good time to dust off your Information Safeguards Policy and update it as needed. Here are some recommended guidelines and practices for a modern Safeguards Program:
- Access to customer information should be limited only to employees who require the information to do their jobs.
- Dealership employees should not be permitted to use or reproduce customer information for their own use or for any use that is not authorized.
- Any confidential customer information allowed to leave the dealership, either in paper or electronic form, greatly increases a company’s exposure. Customer information should always remain in management control. Allowing staff members to retain “working” customer files for any reason is risky at best. Consider limiting CRM access to dealership computers for all but the most trusted, top-level employees. If you allow certain personnel to use personal computers to store or access customer data, they should be required to use protective software against unauthorized intrusions.
- The dealership should utilize anti-virus software and maintain computer firewalls.
- The ability to download customer information from dealership computers to portable media such as USB drives, external hard drives, or other remote devices should be disabled.
- Paper-based customer information should not be left exposed and unattended in an unsecured area, and should be stored in a room or file cabinets that are locked or otherwise not available to the general public. Be aware that consumer information in plain sight can be taken or even photographed with a cell phone.
- All customer information should be disposed of in a secure manner. Paper-based customer information should be shredded prior to disposal and electronic information should be effectively deleted prior to hardware disposal. This includes the hard drives of digital copiers, fax machines and PCs.
- Electronic customer information should be stored on secure servers and access to the information should be password controlled.
- Computer monitors in non-secure areas should be locked when not in use. Password-activated screen savers should be used to lock employee computers after a period of inactivity.
- Passwords should be “Strong” and changed on a regular basis. Strong passwords possess at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols. Passwords should never be shared or openly posted.
- Inbound or outbound credit card information, credit applications, or other sensitive financial data transmitted from consumers should only be sent through an encrypted or secure connection. Clients should be advised against transmitting sensitive data by email or fax. If sensitive data is in fact transmitted to the dealership by email, such transmissions should be password controlled or otherwise protected from theft or unauthorized access.
- Customer financial information should never be kept on any computer system that has a Internet connection.
- Policies should be in place for appropriate use and protection of laptops, PDAs, cell phones, and other mobile devices.
- Terminated employees should be prevented from accessing customer information by immediately deactivating all passwords and user names and taking other appropriate measures.
- Procedures should be established to preserve the security, confidentiality and integrity of customer information in the event of a technological failure. The dealership should notify customers promptly if information is subject to risk of any kind. The FTC des requires this action be taken. Time will be critical in the aftermath of a breach to identify the problem, fix it, and take appropriate response measures.
- Employee training is a key component of an effective Safeguards program. Staff members should be trained to take basic steps to maintain the security, confidentiality, and integrity of customer information. For instance, internet sites that your employees visit may contain malware. Make certain employees understand not to click on links in emails from suspicious or unknown persons. Regular training sessions should be initiated for not only new, but also veteran employees.
These steps do require a fair amount of diligence but are well worth the effort compared to dealing with lawsuits, regulatory actions, or the determination of company reputation. Do yourself and your customers a favor by following best practices for protecting personal information.
Do you have further questions about the safeguard rule? Would you be interested in an F&I audit, sales and finance compliance training, or some additional F&I consulting to strengthen your organization? Contact KPA at [email protected] or call us today.