Protecting Your Customer, Protecting Yourself

Did you know, when it comes to a compliance fine, any chief officer can be fined individually? And the fines are not just issued for leaving physical papers unattended anymore. The advent of car-shopping websites and mobile apps have increased the need for dealer awareness and responsibility in avoiding stolen personal information from online sources.

"If you have a piece of customer information that is not safeguarded properly, there's a (noncompliance) fine of $40,000 per day," says Matt Woods, director for field operations at an Austin, Texas dealership consultancy service group in a recent report from Automotive News. What does this mean? That one unlocked cabinet in an unattended office could result in astronomical fines—one for every file. Not only does this lack of security result in fines, it also manifests as loss of customer’s trust and loyalty as well as possible lawsuits.

Protecting Customer Information

Personal information consists of names, addresses, phone numbers, social security numbers, bank and credit card accounts as well as income and credit histories. As part of the Gramm-Leach-Bliley Act established in 1999, the Federal Trade Commission (FTC) has issued the Safeguards Rule. According to this rule “Financial institutions must develop a written information security plan that describes their program to protect customer information.”

This written plan should include:

1. A designated employee that is responsible for the program
2. Identify all risks and how effective they are at controlling these risks
3. Design, evaluate and define the plan and how the employees are going to monitor it.

How to Stay in Compliance

• Personnel Guidelines
  • Allow only specific managers to have access to this personal information.
  • The “principle of least privilege” means that each employee should only have access to what they need to do their job.
  • Track how all personal information moves into, through and out of your business.
  • Train staff regarding the Safeguards rule and its implications to the dealership.
• Hardcopy Guidelines
  • Ensure that information on hard-copy is kept in locked file cabinets .
  • Limit the number of keys.
  • Train staff to keep papers containing personal information off of their desk.
  • Inventory all locations, including off-site storage, where personal information may be stored and consolidate as much as possible.
• Digital Guidelines
  • Make sure digital information is maintained on a computer that is password-protected and times-out.
  • Inventory all computers, mobile devices, flash drives, copiers and even home computers for sensitive data.
  • Secure this data and run up-to-date anti-malware programs.

While some dealerships may have the expertise and know-how to implement the Safeguards Rule, many are turning to outside services for help staying in compliance. Dealership Development Inc offers compliance audits, implementation of solutions, documentation, and in-dealership training.