Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

BBB guide helps dealers protect customer data

November 18, 2010

To help small businesses comply with the Gramm-Leach-Bliley Act and related Safeguard Rules, the Better Business Bureau has launched a customer data protection guide called Security & Privacy — Made Simpler. The 22-page guide can be downloaded at


BBB executives said they developed the guide to demystify the complexities of data security and give small businesses a non-technical road map to securing their customer data. A separate guide focused on protecting employee data will be released this fall.


"Small businesses aren’t quite in step with their larger industry counterparts in addressing data security," said Steve Cole, president and chief executive of the Council of Better Business Bureaus. "They often believe they’re better protected than they really are, because they don’t have in-house experts to advise them on what else they should be doing beyond locking up their storefronts."


The BBB guide emphasizes the importance of a comprehensive security and privacy plan, and suggests that simple steps—like shredding documents, spot-checking employees’ backgrounds and ignoring phishing e-mails—are just as important as buying new security computer software.


Included in the guide: 

  • illustrations of low-tech and high-tech data theft, from dumpster diving and phishing and hacking, and steps for prevention;
  • checklists for daily security practices, such as restricting access to sensitive records, keeping e-mails free of personal information, and training employees on new privacy and security policies; 
  • common sense advice: "If you don’t absolutely need a  piece of customer information, the best policy is, don’t collect it," and "If you possess customer data you no longer need, discard it—securely;"
  • practical guidance on whom to notify in the event of a data breach, from law enforcement to potentially-exposed customers. 

The BBB guide is a response to many small business owners who said they are unsure how to protect their data and comply with the Gramm-Leach-Bliley Act, which since 2001 requires that financial institutions ensure the security and confidentiality of customer data. As part of the implementation of this act, the Federal Trade Commission instituted the Safeguards Rule in 2003.


More than half of all U.S. small businesses experienced a security breach in 2005, the Small Business Technology Institute reports. Nearly 20 percent do not use virus-scanning software for e-mail; more than 60 percent do not protect their wireless networks with encryption; and two-thirds do not have an information security plan. 

Small businesses, overall, make reactive purchase decisions in relation to information security, and usually purchase products only after suffering an information security incident.


"The definition of a financial institution has been broadly interpreted and will, in most cases, include motor vehicle dealerships," said Keith Whann, executive counsel for the National Independent Automobile Dealers Association. 

Dealerships that fall under the definition of financial institution are prohibited from disclosing certain personal information about their customers to third parties unless they satisfy notice and opt-out requirements.


"For example," said Whann, "if your motor vehicle dealership obtains a credit application from an individual and evaluates the information provided in the application to determine whether or not the individual qualifies for financing, you have provided a financial product or service. A motor vehicle dealership also provides a financial product or service if it provides a copy of the application or the information contained therein to another lending institution." 

Whann said the information covered under the Privacy Act and the Safeguard Rules includes data which a customer provides on an application to get a loan; account balance information, payment history and credit card information; the fact that an individual has been a customer or has obtained a financial product or service from the dealership; information the consumer provides that a dealer or his agent would otherwise obtain in connection with collecting on or servicing a credit account; any data collected through an Internet ‘cookie;’ and any information from a consumer report.


"The only time you are not required to comply with the GLB and FTC’s Final Rule notice and opt-out requirements in connection with the sale or lease of a motor vehicle and/or related products or services from you is if the purchaser/lessee pays the total amount due via a credit card or with cash (provided that you do not sell a motor vehicle service contract or guaranteed automobile protection [GAP] product)," Whann said.