Safeguarding—It’s Around Every Corner and It Still Matters
I was reading a case about safeguarding the other day. It didn’t involve dealers, it didn’t even have a terrible liability result for the defendant, but it reminded me that safeguarding issues are around practically every corner and still very much “in play.” The case was about a company that leases photocopiers and printers. The machines stored images of printed documents. The problem, of course, is that the document images were not destroyed when the lease ended and the equipment was released to another company. The leasing company was sued by a customer for not disclosing the existence of the hard drive that stored images and for releasing the machine without destroying the images. While the plaintiff’s claims failed, the case reminded me of the constant need to guard against the careless treatment of customer information, particularly sensitive financial information.
You’ve heard the question before—do you have a Safeguards Plan? It’s not a new question. It’s something you hear from compliance consultants, at conferences and seminars and in newsletters and articles (like the one you’re reading right now). You think, “I’ve got this covered!” You dutifully (and proudly) think of the three-ring binder that sits on the bookshelf in your dealership office, entitled “Safeguards Plan.” You’ve even named a “Safeguarding Officer.” Well, good for you!
Before your chest puffs out too far, or you think “I’ve got this licked,” however, let’s go over the basics. The Federal Trade Commission Safeguards Rule requires that financial institutions (and yes, that includes dealers) ensure the security and confidentiality of their customers’ information.
Okay, let’s get to the nitty-gritty. The written Safeguards Plan has to be “appropriate to the [dealership’s] size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.” That means it has to be appropriate to your dealership, its size, the types of business activities it engages in and how sophisticated these are. Consider the dealership’s business: Is it all in person? Do you take credit applications online? Do your employees walk around with fancy electronics to process paperwork or their own PDAs? How big is your operation? Do you have multiple locations? Do you have a related finance company or insurance company? Don’t forget to consider the customer information you obtain, how you obtain it, what you do with it and how you store it.
So, what’s the next step? Well, you have to do a risk assessment and figure out the risks to customer information. The risk assessment will help you determine the appropriate controls to have in place. The risk assessment should also help you identify and evaluate the effectiveness of safeguards you already have in place.
Now, there are certain things your Safeguards Plan must have. It must designate an employee or two, to coordinate the safeguarding program. This could be a single employee or a team. The plan must provide for regular monitoring and testing. It must have a process to select vendors that handle customer information to ensure they will appropriately safeguard it. It must also provide for continually evaluating and adjusting the program. This means reconsidering the earlier risks assessment. Has the dealership’s business changed? Are you now taking credit applications online? Did you add a buy-here, pay-here operation? Did you purchase a new DMS system? This also means reconsidering the earlier risks assessment and safeguards in light of the results from the testing and monitoring you are supposed to be doing.
The written plan can be in one single document (like that three-ring binder on your bookshelf), or it can be in several documents, like the employee hiring policy that describes how you do background checks on your employees, the technology policy that describes how employees must have strong passwords for access to the dealership’s DMS, and the policy that states that all documents with customer information must be shredded. If you have it in multiple documents, make sure you refer to the outside documents in the one document that’s supposed to be your main Safeguards Plan document.
Finally, the Safeguards Rule also requires that you pay special attention to the following three areas: employee training and management, information systems, and the management of system failures. That means you should have a training program. I recommend having one for new employees and then having other employees go through it every year or so. Each employee’s training and refresher training should be documented, of course.
You should definitely make sure you have a technology specialist consider the security of your information systems. Then, consider system failures—security breaches are prime examples. You should have a security breach plan: a written procedure of what your dealership will do if it discovers a security breach. Also remember that most states have a law that requires business to notify customers of breaches of the security of their information; make sure to check your state law.
So, now think about that Safeguards Plan you have sitting on the bookshelf in your dealership office. When was the last time you opened it? Does it provide for being continually updated? Do you monitor and test elements of the safeguards plan? Did you even do a risk assessment when you put together the plan in the first place?
The beautiful thing is that it’s never too late. The Safeguards Plan is supposed to be continually revisited, revised, and updated. Oh yeah, and make sure the person you named as “Safeguarding Officer” still works at your dealership (and consider whether s/he is the best person for the job).
Patricia E.M. Covington, formerly Deputy General Counsel with Virginia-based CarMax, Inc., is a partner in the Maryland office of Hudson Cook, LLP. She has significant experience in the areas of dealer, credit, and privacy law. Patty can be reached at 410-865-5409 or firstname.lastname@example.org. Based on an article appearing in Spot Delivery, single print publication rights only to Dealer Marketing Magazine.