The Federal Trade Commission’s Safeguards Rule says auto dealers must create and regularly monitor programs to protect personal customer information gathered in credit, lease and insurance transactions.
A few years after the rule went into effect in 2003, the FTC investigated several dealerships to review whether they had complied.
During the course of those investigations, the FTC suggested improvements to the dealers involved. Generally, however, the FTC found that the dealers had appropriately implemented programs.
Customer concerns over the protection of their financial information have not diminished. If anything, concerns are even greater today because of the substantial increase in electronic attacks to steal information.
When the FTC issued the Safeguards Rule, it made clear that the program adopted was to be more than a static document. The rule requires regular reviews and modifications as necessary to address risks.
When was the last time that you reviewed your Safeguards program and its effectiveness? The Dodd-Frank financial reform legislation empowered and funded the FTC to increase its oversight and review of dealer practices.
If the FTC comes to your dealership and asks to review not just your Safeguards program but your history of regular reviews of the plan’s efficacy, how will your dealership fare?
If you have not blown the dust off such programs in a while, do so now. Review your program thoroughly.
When you adopted your program, you did a risk assessment. Are the protections and procedures for compliance implemented to address the risks identified still in place and operating as designed?
When you established your program, you designated a coordinator to ensure compliance. Is the person still operating as coordinator? If not, who is and has the program been updated to list the new coordinator?
Are any revisions or updates necessary? Have there been new general threats that may have been identified? Have there been any incidents in your dealership that caused or threatened data breaches? If so, your program must take those into account.
Have you obtained safeguard agreements from all vendors with access to the personal information of your customers?
What steps have been taken to guard against evolving threats to customer data maintained electronically?
When was the last time that you trained personnel on the continuing duties of the dealership’s Safeguards program?
While you are reviewing that, spend some time on your Red Flags compliance. When the FTC issued that regulation, it included a specific requirement that the coordinator of that anti-identity theft program must provide at minimum an annual report to the board of directors or a senior-level dealership manager.
This report must address the effectiveness of the program, service provider arrangements, incidents involving identity theft, and recommendations for changes to the program.
If asked to produce those reports, how will your dealership fare? Many dealers today use automated systems or services provided by outside vendors to comply with the requirements of the Red Flags Rule.
But what about the annual obligation of the coordinator to report on that compliance?
At least once a year, take the time to do the reviews of your Safeguards and Red Flags programs so that you can show that you are regularly reviewing them and they are up to date.
Michael Charapp is a lawyer who represents auto dealers. Based in McLean, VA, he is at (703) 564-0220 or [email protected].
