As a child, I remember begging my parents to give me quarters so I could play games in the mall arcade. I would run right past the skeeball and pinball games, and mosey on up to the game of champions-whack-a-mole.
As most of you know, the challenge in whack-a-mole is to club the moles in the head when they pop up. If you’re too slow or fast-whoosh you miss! To win, you need to react to the moles when they show their mischievous smiling faces.
Games are fun, but adopting a whack-a-mole technique just isn’t the way to go when developing a company-wide Safeguards Policy.
What do I mean? Well, many dealerships I see have never stepped back and developed an information security program, or Safeguards Policy that is appropriate for the size and complexity of their particular dealership. Instead, many dealers merely react to what they perceive as their risks on a day-to-day basis.
For example, it is not unusual for me to visit a dealership that does not have a written Safeguards Policy, has not appointed a program coordinator, or has not attempted to identify reasonably foreseeable risks to their dealership (all of which are required under the federal Safeguards Rule). Instead, the dealership tries to scare the employees into lock-down mode. Signs are posted all over employee areas saying things like, If it doesn’t go in a deal jacket, it gets shredded! or, my personal favorite, if the FTC fines us, it’s coming out of your paycheck! I could write a complete article about the legal misinformation communicated in these signs, but I won’t. (Not today, at least.)
What is the problem with this approach? Well, other than potentially giving your employees ulcers, these messages simply do not reflect the requirements of the Rule. The Rule does not say that everything must be shredded, or even that your dealership has to be as tight as Fort Knox. When it comes to Safeguards compliance, there is no substitute for following the express requirements of the Safeguards Rule.
Let’s take a look. The Rule requires you to:
- Designate a program coordinator.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information handled by the dealership that could result in its unauthorized disclosure, misuse, alteration, destruction, or other compromise- and assess the sufficiency of any safeguards in place to control these risks.
- Design and implement safeguards to control the risks you identify through the risk assessment and regularly audit the safeguards to ensure their effectiveness.
- Oversee service providers.
- Evaluate and adjust your Information Security Program.
The FTC intended these requirements to be as flexible as possible. As such, your dealerships safeguards don’t have to be perfect, but they must be appropriate for the size and complexity of your dealership and its operations, the nature and scope of your dealerships finance and lease activities, and the sensitivity of the information you handle.
What does all this mean?
It means that when it comes to developing a Safeguards Policy, you need to be proactive, not reactive. As you go through the process of tackling the whopper requirements under the Red Flag Rules this spring and summer, take some time to make sure that your Safeguards Policy is as proactive and responsive to the Rules requirements as it should be.
You’ll rest easier once you’ve gone through the steps. After all, whacking those moles can wear you out!
Emily Marlow Beck is a partner in the Maryland office of Hudson Cook, LLP. Prior to starting her legal career, she spent years working in a family-owned dealership. Emily is an editor and one of the authors of the CARLAW®- F&I Legal Desk Book, available at www.counselorlibrary.com. She can be reached at 410-865-5438 or by email at firstname.lastname@example.org.