Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions
 

Red Flag Rule: Keep your customers' private information secure

November 16, 2010

By Catharine E. Stark

Have you ever heard the saying "Change your clock, change your battery"? Twice a year, when you change your clock for daylight savings, you should also take the opportunity to change the battery in your smoke detector. Or, so the saying goes. The idea is to get people to associate two things that they may not otherwise consider related. 

Bearing this saying in mind, as you embark on implementing an Identity Theft Prevention (ITP) Program at your dealership, as required by the new Red Flag Rules, it is worth associating your new ITP Program with your existing privacy, information security, and anti-fraud policies and procedures.

The Red Flag Rules require you to implement an ITP Program before Nov. 1, 2008. As part of your ITP Program, you must identify and detect "red flags" that may indicate the possibility of identity theft at your dealership. Doing so will involve a thorough examination of every aspect of your handling and use of customer information. 

Implementing your ITP Program gives you a prime opportunity to consider ways to improve your dealership’s existing privacy, information security, and anti-fraud policies and procedures as they also relate to your handling and use of customer information. (Think information security program, privacy policy, record retention policy, customer service policy, customer authentication procedures, anti-fraud procedures, etc.)

Just as taking the opportunity to change the battery in your smoke detector will help to keep your loved ones safe, taking the opportunity to improve your existing privacy, information security, and anti-fraud policies and procedures will help to keep your customers’ private information secure. 

As a first step in your ITP Program implementation, take the opportunity to increase the general awareness at your dealership of the importance of protecting private customer information. You can use the Red Flag Rules’ compliance requirements to draw your employees’ attention not only to your ITP Program implementation efforts, but also to your dealership’s other privacy, information security, and anti-fraud policies and procedures. Doing so will help to underscore how important you view the protection of private customer information at your dealership.

Second, use your ITP Program implementation as an opportunity to detect specific substantive gaps in your dealership’s existing policies and procedures. For example, during your ITP Program implementation, let’s say you identify that submission of an out-of-state license with a credit application would raise a red flag, requiring you to verify that the out-of-state license is a valid license. Not only does this raise a red flag, but also it may trigger concerns about your dealership’s anti-fraud procedures generally.

For example, do you currently have a mechanism in place by which to verify that an out-of-state license is valid? In this way, associating red flags with potential gaps in your existing privacy, information security, and anti-fraud policies and procedures will better equip you for creating an environment of security at your dealership under which you minimize the risk of identity theft and increase your protection of private customer information.

Third, during your ITP Program implementation, consider ways to tighten up your privacy and information security practices. The Red Flag Rules require you to incorporate your own experiences in identifying red flags at your dealership. Have you ever heard of identity theft resulting from someone stealing a photocopy of a credit applicant’s driver’s license? If this is your experience, not only do you want to identify any incident of a missing photocopy of a credit applicant’s driver’s license as a red flag in your dealership’s ITP Program, but also you may wish to consider revising your information security program to identify and assess the risk of unauthorized access to a customer’s driver’s license at your dealership.

Driver’s licenses may contain your customers’ social security numbers and other private personal information, much of which is the kind of information you are required to protect by the FTC’s Safeguards Rule and Disposal Rule.

As you evaluate this red flag, consider changing your dealership’s policy to require your employees, upon copying a customer’s driver’s license, to promptly safeguard that information. For example, you may wish to make it your dealership’s policy, upon a customer’s submission of a driver’s license, to immediately copy the driver’s license and store the photo-copy in a secure place where you have control over who may access it and where it will remain until the expiration of any required retention period.

Review your record-keeping policies to ensure that, once any required retention period expires, you have procedures in place to properly dispose of the information. Keeping a tighter leash on who has access to private customer information at your dealership will make your dealership less vulnerable to a security breach in the future (which, by the way, potentially subjects your dealership to a host of onerous security breach notification duties).

The relationship among the laws governing your handling and use of private customer information is significant. All of the rules governing information privacy and security are written to offer dealerships maximum flexibility to best protect private customer information in light of the circumstances present at each dealership. In order to best protect private customer information at your dealership, consider your existing privacy, information security, and anti-fraud policies and procedures in light of your efforts to comply with the Red Flag Rules.

As you identify red flags during the implementation of your ITP Program, consider whether there is a way to improve your procedures for collecting, using, storing, and disposing of customer information that will minimize the risk of identity theft or a security breach at your dealership.

Catharine E. Stark is an associate in the Washington, D.C., office of Hudson Cook, LLP. She can be reached at 202-327-9706 or cstark@hudco.com.

Copyright 2008. CounselorLibrary.com, LLC, all rights reserved. This article appeared in Spot Delivery®. Reprinted with express permission from CounselorLibrary.com, LLC.

 

Back