26 Motivators and the GLBA

More than thirty (30) years ago, I made a list of what motivates people.

(I’m not sure why I was motivated to make the motivation list though.)

I have no recollection of where these pieces or parts may come from, but here they are:

1. Make money

2. Save money

3. Save time

4. Avoid effort

5. Get more comfortable

6. Achieve greater cleanliness

7. Attain fuller health

8. Escape physical pain

9. Gain praise

10. Be popular

11. Attract someone else

12. Conserve possessions

13. Increase enjoyment

14. Gratify curiosity

15. Protect family

16. Be in style

17. Have or hold beautiful possessions

18. Satisfy appetite

19. Emulate others

20. Avoid trouble

21. Avoid criticism

22. Be individual

23. Protect reputation

24. Take advantage of opportunities

25. Have safety in buying something

26. Make work easier

It’s not a perfect list, but it’s not bad either.

"Nothing happens at a dealership until something is sold."

That’s what pays the bills. It’s easy to see how this list could be parlayed into motivational leverage with the goal of selling something.

On the other hand, and on the “other” side from selling, in governing the business, some of motivators can be utilized to avoid problems, dodge pain, save money, protect your reputation, and avoid trouble.

Where the focus is eliminating or avoiding problems, that’s called governance, risk, and compliance (GRC).

Avoiding foreseeable problems (or “preventable risk”) will be the core motivation of this article.

At a dealership, a robust GRC program will extinguish issues which are obvious and avoidable. Here’s a summary of the eight (8) steps involved in a dealership GRC program:

1. Identify risks and compliance obligations

2. Prioritize the work by potential catastrophic problems and willful non-compliance penalties

3. Reduce exposure by building a proactive risk transference program

4. Create your internal policies and procedures for risk and compliance

5. Evolve from reactive to proactive to ameliorate your risks

6. Assign responsibilities and accountability

7. Track progress to protect the dealer (personally) and the dealership’s assets

8. Routinely review and audit people, processes, policies, and technology to document and revise compliance and risk protocols

A robust GRC program will translate into action when the dealership brings a keen focus on having a compliance program. Some dealers say they have a strong program, when, in fact, they (sadly) do not.

"For example, do you have a designated compliance person at each store?"

These duties do not have to be a full-time and they're exclusively focused job. Compliance duties can be a part of an employee’s other responsibilities.

If no one is designated as the compliance person at each store, then you really have no program. No one is actually performing the work. Now is a great opportunity to start your GRC program as enforcement activity against dealerships is on the upswing by the Federal Trade Commission (FTC) and the state Attorneys General.

In November of 2021, the FTC passed new regulations which dealers must comply as a part of the Gramm Leach Bliley Act (GLBA), originally effective on May 23, 2003.

There were two (2), new deadlines for compliance: January 10, 2022 and December 9, 2022.

The December 9 deadline was pushed to June 9, 2023.

(The update – alone - was forty-two (42) pages of three (3) columns of type of eight (8) point, small type in the Federal Register.)

Here’s a brief summary of what you need to know to be compliant on this issue:

About GLBA

The GLBA was born out of the need to protect customers Personally Identifiable Information (PII). It is a federal data security rule which requires dealers to keep customer information secure and protected.

The original rule added the burden to the dealers of ensuring that affiliates and service provider partners of the dealership safeguard the customer data, as well.

This has translated into these actionable items:

• Lock all doors and access to any place at the store which may have PII
• Disposing and/or securing unfunded deals, pay stubs, tax returns etc.
• Limiting access to computer applications which may house PII

The overabundance of data breaches necessitated an FTC update in 2021.

January 10, 2022 Deadline

By January 10, 2022, the dealership was to:

• Develop a written Information Security Program (ISP) which contains administrative, technical, and physical safeguards “that are appropriate to your size and complexity…and the sensitivity of any customer information at issue.”
• The dealership’s ISP should “base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.”
• Risk Assessments: “You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure…or compromise of such information and reassess the sufficiency of any safeguards in place to control these risks.”
• Test or Monitor: “Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.”
• Oversee Service Providers: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue. Dealer are required to contract to implement and maintain such safeguards.
• Evaluate and Adjust your ISP in light of:

- Testing and monitoring

- Any material changes to you operation

- The result of your risk assessment

- Any other circumstances which may have a material impact on your Information Security Program

June 9, 2023 Deadline

Unfortunately, there’s more work to be done:

• The definition of PII has changed to include home address, email address, and cell phone number.
• Your ISP should be written.
• Data containing PII must be encrypted both:

- In transit, and at rest;

• The dealership must have a written data retention policy and adhere to it.
• A qualified and designated individual to oversee, implement, and enforce the ISP.
• Limit and monitor who has access to PII.
• Oversee Services Providers (vendors) with written agreements to ensure compliance with protecting the customer data. These must be re-verified at least annually. Dealers are required to monitor and assess these vendors and audit and document the interactions.
• Required Change Management Procedures:

- Written

- If someone gets fired or quits, your program can continue through following these procedures.

- Controlling the lifecycle through procedure standardization to manage the risk and minimize the disruption.

• The Risk Assessment must be in writing and contain:

- Identified security risks

- Criteria of existing controls

- Description of how the risks will be mitigated

- Some risk is acceptable but must be written as to “why”

- Must be updated as risks suggest

- Dealers must periodically perform these assessments

• For information technology (IT) requirements:

- Must have multi-factor authentication (MFA)

- Continuous monitoring of IT systems or annual penetration testing and vulnerability assessments conducted at least every six (6) months

- Anti-virus software

- Endpoint protection to remotely monitor and update all computers

• Annual employee training for all employees

- Documented with signed employee acknowledgements

- Mandatory

- Everyone must complete training without exceptions

• Written Incident Response Plan

- How the dealership will respond to a data breach

- Who has what responsibility and can make decisions

- Communications inside the store and to third parties

Data encryption is the “biggie” here. All data which contains PII must be encrypted both in transit and at rest. For example, that means when someone is scheduling a service appointment through your website, that data must be encrypted between the scheduler and your service advisors. As another example, the data sitting in your CRM must be encrypted at rest.

There’s a lot here to work on here.

Another example, salesmen can no longer send PII to their manager through email, as typically, it is not encrypted. The GLBA impacts your relationship with most internet vendors.

Consider going to your payables department and have them develop a list of any vendors which have anything to do with email or the internet. Then contact them one by one to see whether or not they are compliant with encrypting their data. There are SaaS software solutions to help keep track of this activity.

"Fines for non-compliance are $50,120 per violation."

The FTC can take an expansive view of what a “violation” is, depending on the circumstances, particularly if there are issues involving multiple customer records.

Data breaches are real and happen every day. Currently, one dealership in northern Virginia is immersed in a class action suit over a data breach. These lawsuits are wildly expensive.

Consider that good data security is also a good business practice. Do you really want to call your third (3 rd ) generation customer and tell him his data is sitting out on the dark web as a result of a breach from your store?

While not part of GLBA, cyber insurance should be a consideration and a part of your GRC program in order to protect your assets. While volumes have been written about these policies, I think it is important to talk about a few niggles. To be diligent about your cyber policy, consider:

• Reading the exclusions. You might be surprised at what you find.
• If there a sublimit for ransomware or do you have coverage to the full limits?
• If you have business interruption coverage resulting from a breach?
• If you have a “cap” on the number of individuals that the policy will cover?
• If penalties from regulatory bodies are covered by the policy?
• Are “end of life” computers or software covered by the policy?

The overall philosophy with the GLBA (and the rest of your GRC program) here should be:

• Remediate and correct
• Document and report
• Evaluate and revise

If you handle the preventative risk and ameliorate these issues, you can focus on the more positive side of the twenty-six (26) items above, like increasing your enjoyment and making money!

And that’s how you can stay on the black side of the ledger! Cheers!