The federal government declared war on identity theft with the Gramm-Leach-Bliley Act (GLB Act). The GLB Act’s primary weapons are the “Privacy Rule” and the “Safeguards Rule” which address how your dealership shares and protects information about your customers. The Safeguards Rule will be the focus of this article. For information on the Privacy Rule please see “Gramm-Leach-Bliley: Privacy Rule“.
DOES THE GLB ACT APPLY TO AUTO DEALERS?
The GLB Act applies to all financial institutions. Dealers are “financial institutions” so long as they are significantly engaged in financial activities like entering into finance or lease transactions with consumers. Thus, unless your dealership plays no part in arranging financing, the GLB Act applies to you.
PENALTIES FOR NON-COMPLIANCE
There is presently no individual right of action for violating the Privacy or Safeguards Rule. So no individual customer has a right to sue you for non-compliance. However, the FTC can investigate your compliance and the state attorney general may bring an action against your store for violation of the state’s “Unfair and Deceptive” trade practices law. Imagine how a “failure to protect customer information” lawsuit would impact the public’s opinion of your store. Customers are already hesitant to divulge their personal information to auto dealers. How much worse would it be if customers knew you failed to adhere to the federal laws protecting their information?
WHAT DOES THE “SAFEGUARDS RULE” REQUIRE?
The Safeguards Rule requires financial institutions (defined to include dealers who play any part in financing or leasing) to develop and maintain an “information security program” to protect the confidentiality and integrity of personal consumer information.
WHAT SORT OF INFORMATION IS PROTECTED?
The Safeguards Rule protects “Customer Information” defined to include “any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the dealership or its affiliates.” This means that pretty much all the information you gather from customers seeking to finance or lease a vehicle is to be protected. There are exceptions to the rule but for practical purposes its easiest to treat all customer information as subject to protection rather than differentiate between protected and unprotected data.
INFORMATION SECURITY PROGRAM
The Safeguards Rule requires dealerships to develop and maintain a comprehensive information security program. The program must meet all of the following requirements:
- The program must be in written form. Merely discussing the program with employees isn’t sufficient.
- Designate an employee to coordinate the information security program. The program coordinator must: a) be an employee, b) have authority to design, implement, and maintain the safeguards policy, and c) have authority to enforce the safeguards.
- Identify reasonably foreseeable risks to the security of Customer Information that could result in unauthorized disclosure or other compromise. The Safeguards Rule gives you the flexibility to adopt the procedures appropriate for your store. But this also prevents you from purchasing an “off-the-shelf” information security program because you must conduct an individualized assessment for your particular dealership.
- Assess the sufficiency of any safeguards in place to control the aforementioned risks.
- Develop and implement Customer Information safeguards to control the risks you identify through the risk assessment, and regularly audit these safeguards to ensure their effectiveness.
- You must oversee service providers who take possession of Customer Information and contractually require service providers to “implement and maintain such safeguards”.
- You must evaluate and adjust your information security program as needed. The frequency of evaluations will depend on the complexity of your organization but you should make it a point to retain documentation on the protective measures you’ve instituted and what revisions were made and when. Such evidence would be invaluable in the event the FTC appears at your door.
DISPOSAL OF INFORMATION
Your information security program should consider how to best safeguard consumer information in connection its disposal. Though this requirement is impliedly part of the risk assessment, the Disposal Rule of the Fair and Accurate Credit Transactions Act makes it explicit. You must take reasonable measures to protect against a security breach in connection with the disposal of consumer information.