Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

Safeguarding customer information deadline

November 23, 2010
Some dealers have been slow to act towards a May 23 deadline for financial institutions, including dealerships, to comply with a new FTC mandate regarding how any sensitive information obtained from customers is treated. The FTC's "Standards for Safeguarding Customer Information," or Safeguards Rule, is in addition to, yet independent of, the commission's Privacy Rule, which took effect in July 2001. The Privacy Rule is also referred to as the Gramm Leach Bliley Act. In essence, the Privacy Rule regards how financial institutions share any information they obtain from consumers who secure or merely apply for financial products or services. The Safeguards Rule addresses how that information is protected. The Privacy Rule requires dealers to make a statement in their privacy notices about their information safeguarding practices. A common statement: "We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information." The Safeguards Rule is that federal regulation referenced in the privacy notice. The National Automobile Dealers Association prepared a 48-page guide to comply with the new regulation. A complimentary copy reached all NADA members in late March. The guide includes a template to help dealers develop a written information security program. Additional copies of the guide can be ordered at 800-252- 6232 ext. 2. In an age of growing instances of identity theft, the Federal Trade Commission intends for the new rule to shore up sloppy practices that invite such theft. Sources of FTC horror include deal jackets that are left overnight on desktops, or sensitive customer information that can be called up on computers in an unauthorized department. As an ongoing condition under the Safeguards Rule, the FTC requires every dealer and other "financial institutions" to develop, implement and maintain a comprehensive, written Information Security Program to protect its customer information and the information it receives about the customers of other financial institutions. As an example of the latter requirement, a dealer might, in a marketing relationship with his manufacturer's financial arm, obtain information about off-lease customers who may never have dealt with that dealer previously. Information Security Programs must contain five elements: 1. Designate a Program Coordinator 2. Conduct a risk assessment 3. Design and implement safeguards to control all identified Risks 4. Oversee all the institution's service providers 5. Periodically reevaluate the institution's Program The Program Coordinator must be an employee of the company. All other elements can be contracted with an outside agency, except the overall responsibility for compliance. Also, the coordinator must be senior enough or have enough clout to effect change. The coordinator probably would not be subject to increased personal liability. Smaller dealerships likely can appoint a single Program Coordinator. Large dealer groups might have to appoint several Program Coordinators, from various departments, and specify one of them to head a Committee of Coordinators. The roles and duties of the Program Coordinator are ongoing, so the position must be filled on a permanent basis. In conducting a risk assessment, the dealership must identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in its unauthorized disclosure or other misuse; and assess the sufficiency of whatever safeguards are installed to control those risks. Security is risked, for instance, by leaving deal jackets in unlocked or unattended areas, or by presenting a completed Buyer's Order to a salesperson merely to perform CSI follow- up. Risk assessment must cover "all relevant areas" of a dealership operation. At a minimum, special attention must be paid to • Employee training and management; • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and • Detecting, preventing, responding to attacks and intrusions on any electronic and non-electronic information systems, or other systems failures. Dealers also must oversee their service providers, requiring them by contract to implement and maintain their own customer information safeguards. The deadline to add such language to service provider contracts is May 23, 2003, for contracts entered into after June 24, 2002. A grandfather clause delays the implementation requirement until May 24, 2004, for contracts entered into on or before June 24, 2002.