Privacy: None of Your Business?

Are privacy concerns part of your business? If not, they should be. Ignoring them can unnecessarily expose your agency, your reputation and your dealer clients to great harm. To begin with, it is necessary to understand NPI.

NPI is a common abbreviation for nonpublic personally identifiable financial information. Personally identifiable financial information, in turn, means any information a consumer provides in order to obtain a financial product or service from you, typically a loan application. Car dealers who extend credit or arrange financing or leasing have certain responsibilities with regard to safeguarding NPI.

NPI is commonly found in dealerships in credit applications, driver’s licenses, credit card numbers and credit reports, to name a few, and can be on paper or in computer files. Let’s take a closer look at the process and benefits of securing this information.

Leave No Stone Unturned

Let’s start at the top. Does your dealership have policies and procedures in place to address safeguarding NPI? What happens to the customer’s driver’s license while they are taking a test drive? Do they sit on your salesman’s desk or in his or her drawer? What about credit card numbers? Do they sit in an unsecured area when a customer wants to get a rental car?

Do all employees have “all access” to the dealership computer network where customers’ NPI is stored? Are secure passwords and authentication required to access NPI, and is there a suspension protocol after a certain number of unsuccessful attempts? What are your polices regarding paper records? Where are they stored and who has access to the storage area? Where do you store “dead deal” files? How about “closed deal” files? These files are filled with NPI. Where are they stored, how are they secured and who has access to them? What happens when you need to move these files within the dealership or to a different building? What are your policies and procedures to keep them secure? How many sets of keys are there to the secure room and who has those keys? What happens when your salesmen or managers get up to leave their desks? What is displayed on their screen and is the network secured before they leave their desks? What are your remote access policies?

The policies and procedures should be overseen by a compliance coordinator with authority to carry out the duties of the position and who reports to the general manager or dealer. Can your dealer clients say, in good faith — as required by the Safeguards Rule — that they maintain “physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”? Is there a training program in place so that existing employees and new hires are trained on the compliance issues, including the importance of securing NPI and protecting the business’ reputation?

When Disaster Strikes

One increasing risk of failing to secure NPI is a data breach or other security incident. In 2015 alone, there were almost 800 reported data breaches; many more go unreported. Each time a data breach happens, a business’ reputation suffers, money is lost and that business may come under strict regulatory scrutiny.

Have your dealers performed a risk assessment or security audit? Do you know if there are vulnerabilities in the process to taking, processing, storing and disposing of NPI? As previously mentioned, I would bet that your dealers’ sales desks and storage areas could be areas of concern as far as securing NPI goes. Is there a process for addressing any reports or discoveries of security vulnerabilities? Do you use industry standard methods to secure and monitor your network? Do you test your information security program regularly?

Does your business use outside service providers who have access to your customer’s NPI? For instance, do you use a contact management/business development system such as BDC or CRM which interfaces with your DMS? Can those other applications access NPI which you have stored in your DMS? Do you have a segmented network? Do you have contracts with written security expectations from the service provider? Do you oversee your service provider to verify they are compliant with your security expectations?

While it may be tempting to consider these ideas as something that will never happen to you or your clients, you should be aware of the consequences. Aside from the incalculable value of the loss of their customer’s goodwill, the FTC can seek civil penalties of $100,000 per violation against the business and $10,000 per violation against liable officers and directors. In addition to these civil sanctions, there can also be criminal penalties and claims of unfair trade practices. You may have heard of LifeLock, a company that specializes in identity theft prevention. LifeLock was recently penalized $100 million, in part because it failed to establish and maintain a comprehensive information security program. This is a company that is supposed to specialize in security! And that is a lot of zeros and a lot of reasons why compliance and privacy should have your undivided attention.

If you are reading this article, then you must know the importance of privacy rights and nonpublic personal information. Protecting privacy and customers’ NPI must be part of your business plan, now and for the future. As the old adage goes, no one plans to fail, but many fail to plan. While perhaps no system can be “bulletproof,” it makes good business sense to make reasonable efforts to protect yourself from the dangers of not securing customer privacy and NPI. Go out there and do all you can to protect yourself, your business and your dealer clients’ hard-earned goodwill and implement your security program!