Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

CATA Bulletin
May 12, 2003


Safeguarding customer information deadline

November 23, 2010

Some dealers have been slow to act towards a May 23 deadline for financial institutions, including dealerships, to comply with a new FTC mandate regarding how any sensitive information obtained from customers is treated. The FTC's "Standards for Safeguarding Customer Information," or Safeguards Rule, is in addition to, yet independent of, the commission's Privacy Rule, which took effect in July 2001. The Privacy Rule is also referred to as the Gramm Leach Bliley Act. In essence, the Privacy Rule regards how financial institutions share any information they obtain from consumers who secure or merely apply for financial products or services. The Safeguards Rule addresses how that information is protected. The Privacy Rule requires dealers to make a statement in their privacy notices about their information safeguarding practices. A common statement: "We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information." The Safeguards Rule is that federal regulation referenced in the privacy notice. The National Automobile Dealers Association prepared a 48-page guide to comply with the new regulation. A complimentary copy reached all NADA members in late March. The guide includes a template to help dealers develop a written information security program. Additional copies of the guide can be ordered at 800-252- 6232 ext. 2. In an age of growing instances of identity theft, the Federal Trade Commission intends for the new rule to shore up sloppy practices that invite such theft. Sources of FTC horror include deal jackets that are left overnight on desktops, or sensitive customer information that can be called up on computers in an unauthorized department. As an ongoing condition under the Safeguards Rule, the FTC requires every dealer and other "financial institutions" to develop, implement and maintain a comprehensive, written Information Security Program to protect its customer information and the information it receives about the customers of other financial institutions. As an example of the latter requirement, a dealer might, in a marketing relationship with his manufacturer's financial arm, obtain information about off-lease customers who may never have dealt with that dealer previously. Information Security Programs must contain five elements: 1. Designate a Program Coordinator 2. Conduct a risk assessment 3. Design and implement safeguards to control all identified Risks 4. Oversee all the institution's service providers 5. Periodically reevaluate the institution's Program The Program Coordinator must be an employee of the company. All other elements can be contracted with an outside agency, except the overall responsibility for compliance. Also, the coordinator must be senior enough or have enough clout to effect change. The coordinator probably would not be subject to increased personal liability. Smaller dealerships likely can appoint a single Program Coordinator. Large dealer groups might have to appoint several Program Coordinators, from various departments, and specify one of them to head a Committee of Coordinators. The roles and duties of the Program Coordinator are ongoing, so the position must be filled on a permanent basis. In conducting a risk assessment, the dealership must identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in its unauthorized disclosure or other misuse; and assess the sufficiency of whatever safeguards are installed to control those risks. Security is risked, for instance, by leaving deal jackets in unlocked or unattended areas, or by presenting a completed Buyer's Order to a salesperson merely to perform CSI follow- up. Risk assessment must cover "all relevant areas" of a dealership operation. At a minimum, special attention must be paid to • Employee training and management; • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and • Detecting, preventing, responding to attacks and intrusions on any electronic and non-electronic information systems, or other systems failures. Dealers also must oversee their service providers, requiring them by contract to implement and maintain their own customer information safeguards. The deadline to add such language to service provider contracts is May 23, 2003, for contracts entered into after June 24, 2002. A grandfather clause delays the implementation requirement until May 24, 2004, for contracts entered into on or before June 24, 2002.

Dealer ordered to close for Memorial Day weekend over false ads

November 23, 2010

A California dealership was ordered to close over the Memorial Day weekend as penalty for false and misleading advertising claims made from June 2000 to November 2001. Lithia Nissan of Fresno, Calif., also agreed to pay $160,000 to avoid a longer suspension and to reimburse the state's department of motor vehicles $25,000 for its investigation and legal costs. Allegations against Lithia Nissan included false advertising of guaranteed loans and pre-approved credit cards. One ad offered $200 in free groceries for test-driving any vehicle, when actually "the consumer had to pay and mail in an order to receive discount coupons," according to the DMV. Other allegations included failing to sell vehicles at advertised prices and false claims that consumers "could drive away in a new car for only a $45 documentation fee." Consumers also were invited to bring their own cars to sell and were told "used-car buyers will be on-site bidding for your vehicle, ensuring top dollar." Instead, only appraisers were present and no bidding occurred, DMV officials said. Some of the claims appeared in The Sacramento Bee and in direct mail to more than 75,000 customers-including DMV investigators. Steven Gourley, director of the California DMV, said the May 24-26 store closure would send a strong message "to all other California dealerships that these kinds of illegal business practices will not be tolerated." The DMV also will conduct four unannounced audits of the dealership during a four-year probationary period, and Lithia will reimburse the department up to $7,500 per audit.


November 23, 2010

In this non-election year, officials of the Dealers  Election Action Committee reported March 31 that DEAC had raised 23.6 percent of its yearlong contributions goal. But contributions by dealers in what the NADA defines as metropolitan Chicago-Cook, Lake and DuPage Counties-were at 7.2 percent of the annual goal amount. DEAC is a dealer's only true voice in Washington, and it needs support to retain its powerful presence; in the 2001-2002 election cycle DEAC was the nation's third largest political action committee in terms of contributions to federal candidates. Since the inception of DEAC in 1975, dealers have contributed more than $22 million to the election campaigns of pro-business, pro-dealer candidates for Congress. Contributions to DEAC pay for themselves many times over in the form of better, fairer government on the federal level. Think of DEAC as political insurance: Contribute now, or pay 10 times that amount later in the form of higher taxes, excessive regulations and mandated employee benefits.

Employers must protect privacy of their workers' health information

November 23, 2010

Most partially or fully self-insured dealership health plans have $5 million or less in annual premiums. Dealers with such plans have until April 14, 2004, to comply with a U.S. Department of Health and Human Services rules that requires them to protect the privacy of any health information of employees, retirees or beneficiaries. Large plans-those with more than $5 million in annual premiums-had until April 14, 2003, to comply. Some reports indicated that self-administered plans covering 50 or fewer employees have until next year to comply. In fact, such plans are entirely exempt. (Few dealers self-administer their plans.) The rule, issued in conjunction with the Health Insurance Portability and Accountability Act of 1996, requires covered employers to develop handling procedures for protected health information. Generally, they must (1) notify employees about their privacy rights and how any information can be used; (2) designate an individual to oversee the adoption and implementation of procedures to control the use and release of such information; (3) train employees to understand those procedures; and (4) secure patient records containing such information so that they are not readily available to people who don't need them. Certain information is not covered, such as that pertaining to worker's comp or compliance with the Americans with Disabilities Act. The NADA's Legal Department suggests that dealers try to minimize or eliminate handling such information to reduce their compliance duties. Still, the rule is flexible, letting small plans with limited access to private health information adopt simple procedures. Fortunately, most dealership plans use third-party claims administrators and rarely handle such information. The NADA will draft a comprehensive guide to the rule and send it to dealers this year, well before the April 2004 compliance deadline. Until then, dealers should follow the recommendations of the health insurance companies and third-party administrators they work with.


November 23, 2010

Ten area Cadillac dealers joined 107 others as 2002 Cadillac Master Dealers, for outstanding sales and customer satisfaction. They are Arnie Bauer Cadillac-GMC, Matteson; Ettleson Cadillac-Oldsmobile, Hodgkins; Steve Foley Cadillac, Northbrook; Heritage Cadillac, Lombard; Napleton Cadillac, Park Ridge; Patrick Cadillac, Schaumburg; Tony Rizza Oldsmobile-Cadillac, Tinley Park; Frank Shirey Cadillac, Oak Lawn; Town & Country Cadillac, Naperville; and Weil Oldsmobile-Cadillac, Libertyville. Ten area Ford dealerships earned the carmaker's 2002 President's Award for outstanding customer satisfaction performance. They are Arlington Heights Ford, Rod Baker Ford Sales, Plainfield; Bredemann Ford, Glenview; Buss Ford Sales, McHenry; Court Street Ford, Bourbonnais; Landmark Ford of Niles; Oakfield Ford, Villa Park; Al Piemonte Ford, Melrose Park; Joe Rizza Ford, Orland Park; and Wickstrom Ford, Barrington. Seven area Honda dealers are among the recipients of Honda's 2002 President's Award for top performance in sales, service and satisfaction. Recipients include Community Honda, Orland Park, Grand Honda, Elmhurst; Jacobs' Twin Honda, Chicago, McGrath Honda, Elgin; McGrath Motors, St. Charles; Muller Honda, Highland Park; and Planet Honda, Chicago Heights. Kevin Keefe of Libertyville Toyota and Phillip Resnick of Schaumburg Toyota have been named to the Toyota Board of Governors, for high sales volume and CSI. Daniel J. Rabulinski of Wilkins Mazda in Villa Park is among 12 finalists in Mazda's 2003 North American Master Technician competition. Nissan has named 69 Master Technicians nationwide who completed a thorough training program on servicing Nissan models. Local techs are Timothy Barker of Napleton Nissan, Shererville, Ind.; Greg Eltinge of Bill Kay's Downers Grove Nissan; and Larry Westberg of Hawkinson Nissan, Matteson.