The Big Dog is out. Yes, the Federal Trade Commission is officially sniffing around dealerships.
It's digging into dealership records and barking out document requests as it looks for violations of the FTC Safeguards Rule.
For some background on this subject refer to my September, 2003 column and also to the trade commission's web site: www.ftc.gov/privacy/privacyinitiatives/safeguards.html. There' even a file-a-complaint button there for anyone with a gripe against a dealership.
Why were particular dealerships selected for “inquiry”? What will they find? I don't know, but I do know what they are looking for. I've obtained one of the trade commission's request letters sent to a dealership.
The letter says, “The Safeguards Rule requires that businesses such as yours have in place administrative, technical and physical safeguards for customer information.
“The purpose of the Rule is to ensure that financial institutions have reasonable policies and procedures to protect the security and confidentiality of information collected from and about customers, to protect against any anticipated threats or hazards to the security or integrity of such information and to prevent unauthorized access or use that could result in substantial harm or inconvenience to any customer.”
The letter then outlines what items the FTC will be reviewing. Based on our experience and the contents of this letter, it is apparent that many dealerships are not in compliance with the Safeguards Rule.
Here is specific documentation the FTC is requesting:
- Customer Information — a listing of information from or about customers that is collected or maintained by the dealership. A sample copy of the forms used to collect that information is also requested.
- Information Security Program — a copy of the plan and when it was written and implemented with specific documentation on access and maintenance, retention, use, permanent storage or destruction of customer information. Also required: details on the transmission of information within the dealership and between related parties.
- Risk Assessment — documentation of the risks to customer information that was identified during the required assessment and how the ISP does or does not address each of the risks.
- Program Coordinator — name and title of the employee and all documents that the employee followed in coordinating the ISP.
- Testing, Monitoring & Evaluation — documentation of testing, monitoring and evaluation of the ISP and future plans and procedures to perform these procedures.
- Service Providers — current list including name, address, and telephone number of those with access including what type of customer information they have access to, how they access the customer information, and the reason for the access. Also required: a copy of the contract with that service provider and detail of the monitoring process of each service provider's security safeguards.
- Privacy Notice — a copy of the dealership's current privacy notice, privacy policy, and opt-out notice and each agreement with third parties that limits disclosure or use of customer information.
The letter also requests that all undated documents be identified as to the date prepared or the date received as applicable.
Additionally, if certain documents are not provided or only partially so, the trade commission wants a written statement that provides a complete response.
It appears the FTC is targeting large dealer groups, possibly to more quickly estimate compliance in the retail car industry as a whole. Is this to be the “example” for other dealers? I don't know.
My fingers are crossed that warnings and recommendations rather than fines or dealer-license revocations will be the worst of these first FTC inquiries.
We all had better hope that the first batch of dealers being reviewed has done a good job or we could all be in for a real dog fight.
Don Ray is a senior member of the George B. Jones Dealer Services division of Dixon Odom, a national accounting and consulting group for dealers. He's at 901-684-5643 and [email protected].
