Sidestepping Customer Information Security Disaster: Three Important Scenarios to Avoid

by Allyson Harris on May 2, 2015

Article Contributor: Ryan Lane

Many laws fall under the broad umbrella of Customer Information Security, each carrying their own weight of importance. When looking at dealership compliance it is of vital importance to review the Safeguards Rule; the objective of the Safeguards Rule is to ensure the security and confidentiality of customer information. However, the rule goes further than simply keeping private information to yourself. It also includes requirements stating that dealers must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Violations of the Safeguards Rule can come in multiple forms, via external theft, internal theft, or simply carelessness with customer sensitive information. Over the years I spent working in dealerships, I came across countless Safeguards Rule violations, some predictable and some outlandish. Each experience gave me pause for thought, teaching me and many others important lessons and easy solutions regarding customer security.  Sometimes there are simple steps that can help you avoid major issues in regards to the number one crime committed in the US today: identity theft. Following are three memorable scenarios that I witnessed, learned from, and have never forgotten:

Scenario 1: External Theft

I was consulting with a dealership several years ago when two women walked in with a very simple and effective plan to commit a crime. One of the women immediately created a scene. She was yelling, screaming, and cursing, distracting every employee within earshot. While the entirety of the dealership was sidetracked, her companion simply walked into an open office, picked up a full box of deal jackets, and then walked out the front door. Before anyone knew what was happening, over 20 complete deal jackets were stolen and both women were pulling out of the parking lot in a car without a license plate.

This opportunity for theft was born out of pure carelessness- simply shutting a door or keeping deals locked in file cabinets could have saved many cases of identity theft. How can you avoid a similar circumstance at your dealership? The answer is simple: paper-based non-public personal information should not be left exposed and should always be kept in private and secured areas. Any information in plain site is at risk for theft. With Safeguards Rule training in place, your dealership can have a process and  protocol (the use of locked filing cabinets, CRMs, or auto-locking office doors) to stay in compliance, which will ensure that security is enforced, even in the event of an emergency or a distraction.

Scenario 2: Internal Theft

Many years ago a dealership that I was familiar with had a handful of employees prosecuted for internal theft. Their system was a simple one: when they came across a buyer with a low credit score, they would simply search for a buyer in their CRM that had the same last name, such as “Smith”, and a higher credit score. They would then take the Social Security Number with the better credit score and use it to complete the application for the individual with the lower credit score. The bank missed the differences on many occasions and the employees would make additional sales using an unwitting individual’s credit information.  When the theft was discovered the dealership was heavily fined and was also required to buy back every car that was illegally sold. How could this theft have been avoided? The use of a CRM with limited employee access can help to avoid similar illegal acts at your dealership. Allowing just any staff members to access unnecessary files or retain “working” customer files can lead to a crime of opportunity.  Having a secure process with restricted access to customer sensitive information could save you and your customers a lot of pain and money.

Scenario 3: Compliance Violation

Although my final scenario doesn’t happen often, it can occur, and I’ve seen it firsthand. I was visiting a dealership one day and noted a salesman working a deal. The salesperson was sitting at his desk with a customer, going over the potential purchase, while the customer filled out his credit application. Meanwhile, a man had been perusing the cars in the showroom alone. When asked if he would like help, the man stated that he was just waiting for his wife to arrive; the car was for her and he was just gathering some information before she got there. With the man wandering in the background, the salesperson left his desk to work the deal with his manager. Shortly thereafter, the customer got up to use the restroom, leaving his credit application unattended on the salesman’s desk. The man who had been waiting for his wife immediately walked over, picked up the credit application, and approached the General Manager. In reality the man was actually an agent for the Department of Finance; he had been waiting to see if any mistakes were made in the dealership. The dealership was immediately fined $15,000 just for the credit application and was given 72 hours to come into compliance before they were more intimately investigated. The best defense for your customer information security is employee training. Employees should be trained to take basic steps to maintain security, confidentiality, and integrity of customer information at all times.

While none of these scenarios are the norm, they do happen. Safeguarding your customer information is not only a best practice, it is required by law to have a Customer Information Security Process in place and your entire staff trained on that process. The best protection is to implement a strong Safeguards Policy and regularly train your employees on it, whether they are new employees or tenured.

To learn some of the best practices of the Safeguard Rule, read the article on “Is your Information Safeguards Plan Keeping Up With Technology.” Have questions about how you can increase your security? Contact [email protected].

Share this post:
Allyson HarrisSidestepping Customer Information Security Disaster: Three Important Scenarios to Avoid