Is Your Information Safeguards Plan Keeping Up With Technology?

August 2012, Auto Dealer Today - WebXclusive

by Jim Radogna - Also by this author


In the course of day-to-day business, dealerships collect personal information from consumers, including names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The federal Safeguards Rule, which was enacted in 2003 and is enforced by the Federal Trade Commission, requires dealerships to have a security plan to protect the confidentiality and integrity of personal consumer information.

Since most dealerships are now far more technologically advanced than they were when the Safeguards Rule first came into play, protecting consumer information has become quite a bit more challenging. It’s no longer just a matter of making sure credit apps aren’t laying on top of desks in the showroom or deal jackets are stored in locking cabinets.

The potential consequences for non-compliance with the Safeguards Rule are substantial. Besides private lawsuits and reputation damage, civil penalties of up to $10,000 per violation can be assessed, along with criminal penalties which could include imprisonment and fines.

In case you haven’t noticed, it’s become painfully apparent that the FTC has placed car dealers on its enforcement radar screen recently. So, if you haven’t done so in a while, now may be a good time to dust off your Information Safeguards Policy and update it as needed. Following are some recommended guidelines and best practices for a modern Safeguards Program:

• Access to customer information should be limited to employees who have a business reason to see it, to the extent they need it to do their jobs.

• Dealership employees should not be permitted to reproduce customer information for any use not authorized by the dealership.

• Any customer information that is allowed to leave the dealership, either in paper form or on employees’ electronic devices, can greatly increase a company’s exposure. Customer information should always remain in management control. Allowing staff members to retain “working” customer files for follow-up purposes is risky at best. In addition, consider limiting CRM access to dealership computers only for all but the most trusted top-level personnel. If you allow certain employees to use personal computers to store or access customer data, they should be required to use protections against viruses, spyware and other unauthorized intrusions.

• The dealership should utilize anti-virus software and maintain computer firewalls.

• The ability to download customer information from dealership computers to portable media such as USB drives, external hard drives or other remote devices should be disabled.

• Paper-based customer information should not be left exposed and unattended in an unsecured area, and it should be stored in a room or file cabinets that are locked or otherwise not available to the general public. Be aware that consumer information in plain sight can be taken or even photographed with a cell phone.

• All customer information should be disposed of in a secure manner. Paper-based customer information should be shredded prior to disposal and electronic information should be effectively deleted prior to hardware disposal. This includes the hard drives of digital copiers, fax machines and PCs.

• Electronic customer information should be stored on secure servers and access to the information should be password-controlled.

• Computer monitors in non-secure areas should be locked when not in use. Password-activated screen savers should be used to lock employee computers after a period of inactivity.

• “Strong” passwords (tough-to-crack passwords that require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols) should be required and changed on a regular basis. Passwords should not be shared or openly posted in work areas.

• Inbound or outbound credit card information, credit applications, or other sensitive financial data transmitted to the dealership directly from consumers should only be sent through an encrypted or secure connection. Consumers should be advised against transmitting sensitive data by email or fax. If sensitive data must be transmitted to the dealership by email, such transmissions should be password-controlled or otherwise protected from theft or unauthorized access.

• Customer financial information should not be stored on any computer system with a direct Internet connection.

• Policies should be in place for appropriate use and protection of laptops, PDAs, cell phones, and other mobile devices.

• Terminated employees should be prevented from accessing customer information by immediately deactivating their passwords and usernames and taking other appropriate measures.

• Procedures should be established to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure. The dealership should notify customers promptly if their customer information is subject to loss, damage or unauthorized access. The FTC requires this and time will be critical in the aftermath of a breach to identify the problem, fix it, and take appropriate response measures.

• Employee training is a key component of an effective Safeguards program. Staff members should be trained to take basic steps to maintain the security, confidentiality and integrity of customer information. For instance, Internet sites that your employees visit may contain malware. Make sure that employees understand not to click links in emails from unknown persons. New employees should be trained immediately and all employees should be retrained regularly.

These steps require some diligence but are well worth the effort compared to possibly dealing with lawsuits, regulatory actions, or hits to your valuable reputation. Do yourself and your customers a favor by following best practices for protecting personal information.

Vol. 9, Issue 6


  1. 1. William V. Fowler [ September 12, 2012 @ 10:32AM ]

    Jim this is a great article however some of the SafeGuards you mentioned are old school protection compared to what is available inside a SaaS web base software program like we have at E-net, Not bragging it's a fact!

    Call me if you would like to view our software process. There are no other programs that offer half the service, protection, and ease of process during the loan approval and origination process. Our system will also keep dealers and lenders in compliance with Federal and State Rules and Regulations. Automatically!

  2. 2. Al Mosher [ September 12, 2012 @ 10:34AM ]

    Great article, Jim!!! Every car dealer needs to take another hard look at their compliance efforts as the FTC and CFPB starts to get serious about taking a look at the auto industry.


Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email:  



Jim Ziegler
Stupid Is as Stupid Does

By Jim Ziegler
The Alpha Dawg charts the brief rise and long fall of Johan de Nysschen, the recently departed president of Cadillac and author of the business plan that effectively crowned Lincoln as the new king of American luxury.

They Finally Killed Somebody

By Jim Ziegler
Ziegler believes Uber’s directors should face criminal charges for their role in an Arizona woman’s violent death.

20 Things a GM Must Do Every Week

By Jim Ziegler

All Things Must Pass

By Jim Ziegler

Opening Observations

They Took Cadillac for a Ride

By Tariq Kamal
Hindsight is 20/20, but at least one industry member saw GM’s latest mishap coming a mile away.

Stand Up and Be Counted

By Tariq Kamal
The Dealers’ Choice Awards are the Yelp of vendors and finance sources.

Over the Curb

This Is Us: Dealer Edition

By Jason Heard
Heard knows delegation and outsourcing are the quickest path to a work-life balance.