How many times have you received a call from the same area code as yours with the same first three-digit prefix as yours? Too many, right? This type of caller ID spoofing is known as “neighbor spoofing” and aims to make you think you are getting a call from a neighbor so that you are more likely to pick up the call.
In fact, the caller is deliberately falsifying the information that is sent to your caller ID display to disguise their true identity. This is typically done by a robocall, which when answered, transfers you to a person attempting to make some sort of sales pitch, although occasionally it is used by identity thieves. Last year, 2.5 billion robocalls were made each month!
On an NBC News expose, the interviewee sitting in studio stole the interviewer’s personal information, called his mother, and managed to get her to reveal her Social Security number by using caller ID spoofing to masquerade as her son.
Understandably, consumers are very irritated, angered and frightened by these tactics. This is the nature of some of the current threats facing consumers and businesses with consumer facing data. Can this happen in your clients’ dealerships?
End Users at Risk
Do the dealerships you serve have safeguards in place to prevent their customers’ nonpublic personal information (NPI) from being stolen, as mandated by the federal Safeguards Rule? Do they also protect customer information that is publicly available? Does their shop have sales worksheets, repair orders, parts slips, body shop estimates and CRM systems which are unsecured? Do any of these documents contain data such as your prospect or customer’s NPI or even unpublished telephone number or email address?
Part of the compliance responsibility is to understand the evolving nature of the threats to customers and to plan to address such threats before they happen. Caller ID spoofing is one type of identity threat — the name and telephone number of the real caller is concealed so you do not know whom you are really speaking with until you accept the call. The scenario where the person’s identity was stolen and used is, quite simply, identity theft.
So what lessons can be learned here?
First, we must accept that safeguarding customer’s NPI is of paramount importance. ... But is this enough? There are many laws which seek to protect the consumer from these types of attack, but could they anticipate this new reality? Let’s take a closer look at four applicable regulations:
- Under the Truth-in-Caller Act, a person is prohibited from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongfully obtain anything of value. Illegal spoofing is subject to a penalty of up to $10,000 per violation.
- Using an automatic telephone dialing system (ATDS) to make telemarketing robocalls can also trigger other laws. For instance, under the Telephone Consumer Protection Act (TCPA), your dealers may not make telemarketing calls using an ATDS unless they have prior written consent from the consumer.
- Under the CAN-SPAM Act, you cannot send marketing emails unless certain disclosures are accurately made, including the ability to opt out of receiving future marketing emails.
- The Red Flags Rule instructs us to check for identity theft and to know with whom we are doing business. In the event of a violation of any of the foregoing acts, a UDAP claim will presumably be included, which will escalate any potential liability.
There is a lot of anger in the marketplace due to unscrupulous robo-spammers and what seems to be daily bombarding by robo-callers. Identity theft is rampant. Poor security practices and data breaches dominate the news. (I am looking at you, Equifax.) In fact, the Data Security and Breach Notification Act, which has just been proposed, suggests jail time for executives who fail to notify consumers of a breach.
So to paraphrase a certain movie: What are you going to do and who are you going to call?
Each of your dealer clients must have a complete compliance management system (CMS) in place. Each dealer should meet with their appointed chief compliance officer (CCO) and review the current “threat board.”
Do you need to revise your policies and procedures to meet the new threats? Does your sales staff accept, on faith, that they are talking with the person identified solely by the caller ID display on their phone? If you do any telemarketing, does it comply with the alphabet soup of laws designed to protect the consumer from unwanted spam messages?
You must take affirmative action to value and protect the relationship between your dealers and their customers, whether it be safeguarding their NPI against data breaches or not subjecting them to unwanted commercial spam messages. Failure is not an option here and if the Data Security and Breach Notification Act becomes law, such a failure could result in jail time.