Lost in the compliance maze the past few years has been the importance of a dealership’s continuing obligation for the security of customers’ nonpublic information.
Most dealers recognize a duty to safeguard customer information at their stores. What many dealers may not know, however, is the full extent of which the requirement extends outside the doors of the dealership.
For more than a decade, identity theft has remained at or near the top of the Federal Trade Commission’s (FTC) consumer complaint list. In response, regulators continue to bring enforcement actions, and in the private sector, plaintiffs’ class action attorneys are making significant progress in data-breach cases.
In late 2015, the FTC finalized a settlement with Wyndham, and the Consumer Financial Protection Bureau (CFPB) entered the privacy fray with an action against Dwolla, Inc., for allegedly deceiving customers about its data security practices.
You read that correctly—deceiving customers. The FTC, state attorney generals, and now the CFPB have used their powers under applicable unfair and deceptive practices acts to sue companies that have experienced the loss or theft of customer information.
This should not be surprising because every time a consumer is given a privacy notice, he or she is being given a representation by the business entity that it takes reasonable safeguards to protect customer information.
Dealerships and third parties
Every dealership makes the following written statement to customers it provides with a federally required privacy notice:
To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures included computer safeguards and secured files and buildings.
Failure by a dealership to protect customer information and data is deemed contrary to this promise—or statement—and is actionable as a deceptive practice. Most dealerships know of the need to try to protect the information they acquire and maintain.
Where many drop the ball, however, is trying to verify that the third parties with access to the dealership’s information have compliance procedures in place.
The Safeguards Rule, as summarized by the FTC, states:
The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. Besides developing their own safeguards, companies covered by the Rule take steps to ensure that their affiliates and service providers safeguard customer information in their care.
If you focus on the last part of the rule summary, you’ll see that the FTC requires you to try to ensure service providers that have access to your customer information have sufficient security and training protocols in place.
This means any vendor with access to your dealership’s customer information, whether electronic or otherwise, needs to have a privacy compliance program in place that is sufficient under the circumstances to protect your information.
The importance of vetting
In short, what this means to you: Vetting your third-party providers is often overlooked, and that is a mistake. According to a Booz Allen Hamilton survey, third parties were the No. 1 security risk to financial services firms in 2015.
A report from PricewaterhouseCoopers LLP, US Cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey, says, “The need for due diligence of the security capabilities of third parties has gained prominence in the past year, in part because of high-profile breaches that began with attacks on the systems of business partners.”
The report goes on to say that the need for third-party assessment is not new, but regulators are now “becoming increasingly serious about third-party risk management and expect that organizations can prove due diligence, and ongoing supervision and governance.”
Therefore, it is essential to remember this fact: You, the dealership, handle the theft of your customers’ information, even if it is taken from one of your third-party vendors.
The reasons are simple. First, federal law and regulations say so, and second, the customer gave you the information and you promised to safeguard it.
Perform an assessment
So, how do you get a handle on your third-party providers? In the past, you would ask vendors to give you a copy of their privacy notice, and they would provide it. But that was indeed the past, and this practice no longer constitutes due diligence in our current heightened state of regulation.
To properly manage your third-party vendor privacy program, you have to perform a dealership assessment to determine:
- Which third parties have access to your system?
- To what data do they have access?
- Is access limited, or do they have customer information?
- For what purpose are they accessing the data?
- What vendors have access to your facility, and what areas?
At the conclusion of this assessment, you will have a list of vendors with access to you customer information that must be vetted. Each vendor with access to your customer information must take security of the information seriously, and have the proper training, policies, and compliance procedures in place that comply with federal law and best practices.
The FTC requires reasonable safeguards given the circumstances. The CFPB’s definition of due diligence is more precise, and suggests steps to be taken should include, but are not limited to:
- Conducting thorough due diligence to verify that the service provider understands and can comply with federal consumer financial law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts training and oversight of employees or agents with consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, and appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
- Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with required laws and regulations; and
- Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
Each of these steps will not apply to every vendor with access to your facility and data, nor will you be required to do vendor site visits for every vendor with access.
At a minimum, however, obtain written documentation of full compliance annually from each vendor. This can be done through a questionnaire or a combination of reviews and inspections.
What is certain, however, is that a single-page privacy notice from your vendor no longer constitutes due diligence.
David R. Missimer, [email protected], is general counsel for Automotive Compliance Consultants, Inc. He spent 28 years in private practice as a litigator representing lenders, auto dealers and numerous other entities and individuals.