The Shoulder Bone Is Connected to the Back Bone

Many of you may be familiar with the children’s sing-along song called “Dem Bones” or “Dry Bones.” Most verses recite the connection between the bones: “Shoulder bone connected to the back bone, back bone connected to the hip bone,” and so on.

You may be wondering what, exactly, this has to do with you. Well, any agent who has an interest in keeping their dealers off the federal regulatory radar needs to understand the security measures those agencies are demanding and how to meet them.

Assembling the Skeleton

Well, the “back bone” of every dealership is the dealer management system (DMS). Connected to that “back bone” are lots of other “bones” such as the business development system (BDS), a customer relationship manager (CRM), menu sales tools, iPads, smartphones, laptops and other devices.

Contained in the DMS are pieces of nonpublic personal information (NPI) pertaining to clients and potential clients which can be part of this digitally interconnected skeleton. One variety of this digital interconnectivity is referred to as peer-to-peer (P2P) file-sharing technology.

The federal Safeguards Rule requires, among other things, that dealers have a written security plan that contains administrative, technical and physical safeguards of customer’s information. Customer’s information includes NPI, which includes information a customer provides to the dealer to obtain a financial product or service.

Think about your typical dealer client. How many points of access to the customer NPI in the DMS back bone are there? If a salesperson pulls up their CRM to call Charlie Customer, does he have access to the DMS with Charlie’s credit score, credit application, date of birth, driver’s license number and other pieces of NPI? Can the salesperson access the DMS from his or her laptop while offsite?

Aside from the “front of the house” type of issue of controlling digital interconnectivity, have you reviewed your dealers’ agreements with their finance sources lately? As you may be aware, as far as the CFPB is concerned, the dealership is what is called a “service provider” for Mr. Big Bank. That means that the bank can be held liable for any improper act that is committed by one of its dealers.

As a consequence, almost all dealer/finance source contracts have some pretty scary indemnity/chargeback language incorporating compliance addendums or similar language. What this means, as a practical matter, is that failure to secure NPI in the DMS “back bone” could not only create liability for any injuries that the customer may suffer and reputational risk for the dealer, but could seriously jeopardize the dealer’s financing source.

Case Study

Franklin Budget Car Sales of Statesboro, Ga., used a computer network to conduct business and collect customer information and data, including such items as online credit applications, outside lead information, customer automobile and payment records, and finance and insurance records.

Franklin also, unfortunately, had P2P software installed on a computer connected to its network. As a result, the NPI of 95,000 customers was made available on the P2P network. Anyone operating a computer containing compatible P2P software would have access to view or download any files shared on the P2P network.

The FTC found this practice to be a violation of the Safeguards Rule. No financial penalty was assessed; however, Franklin was required to completely overhaul its information security program and report to the FTC for a period of 20 years. Keep in mind that there was no allegation that any of the 95,000 affected customers’ NPI was actually used to the detriment of the customers, just that it was available on the P2P network.

So what is the takeaway here? Well, while the back bone may be connected to the hip bone, you should take appropriate steps to make sure that the NPI on your dealers’ DMS is properly secured, that their computer network (and all devices with access to their computer network) contain no P2P software, and that they maintain adequate “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of personal information collected from or about customers.