Compliance Questions

• Would you like to be subjected to a potential fine of $41,484 per day?

• Or enter into a 20-year consent judgment where you are subject to biannual audits?

• Would you like to be subjected to as much as a $50,000 statutory penalty per violation?

• Or pay legal fees, costs, and damages for breaches of contract or negligence claims that could run into the millions of dollars?

Answering These Questions in the Affirmative

If any of these results seem attractive to you, then haphazardly download great quantities of data from your dealer management system, especially nonpublic personal information (NPI), place it where other people can access it, or, better yet, share it with everyone. You and the dealership will face these consequences.

The Relevant Law Guiding these Results

Today, in 2018, it is only a footnote for the automotive industry that the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act, or GLBA — named after its progenitors, Senator Gramm and Congressmen Leach and Bliley — was enacted to eliminate the Glass Steagall Act of 1933 which, in this author’s viewpoint, was a legislative error. Banks, brokerage firms, and insurance carriers were prohibited from merging under the Glass-Steagall Act, which prevented the concentration of capital.

GLBA repealed this law so that these types of institutions can merge. But two elements of the GLBA are relevant to people in the automobile industry: the Privacy Rule and the Safeguards Rule.

The Privacy Rule: As the name implies, privacy is the issue. When a consumer relationship begins, the dealer must provide a privacy notice to that consumer. There are almost 300 variations of these notices which must tell the consumer how data is collected, shared, used, and protected. In addition, there must be an option provided to the consumer by which he can opt out of any sharing of his data with third parties. This notice must be provided annually. The model privacy form, can be found at: http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm.pdf.

The Safeguards Rule: The Safeguards Rule is the corollary of the Privacy Rule. As one should recognize, dealers are creditors and, as such, must develop a written security plan detailing how the dealership is protecting consumer data. A compliance officer should be appointed to oversee these safeguards. A dynamic plan should be developed which addresses the risk, with designed and tested programs redressing this risk, and reevaluations for changes in the plan as the nature of the business evolves. Encryptions, firewalls, passwords, locked vaults, and desks are examples of safeguards.

Access to Data in the Dealer Management Systems (DMS)

Reckless dealers will allow free access to the data stored in the DMS. And reckless F&I managers will access this data with abandon if given the opportunity. A sophisticated DMS will only provide data to personnel at the store commensurate with their job status and need. In other words, the general manager will have greater access to the stored data than an F&I manager.

User access to data should be reviewed and updated continuously as the Safeguards Rule requires. In DMS parlance, “PII” is being protected. PII is personally identifiable information — any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to solve for anonymous data can be considered PII. NPI is the acronym from GLBA itself for “personally identifiable financial information” and is similar in concept to the PII. Private consumer information, which is not readily available, would be considered NPI. It is “derived using any personally identifiable financial information” that is “not publicly available.”

What Must be Done 

GLBA was passed in 2003 so it would be astounding if a dealer hadn’t already complied with its requirements and continues to do so. It is important to emphasize that the Safeguards Rule must be dynamic and continually updated. Anyone who works at the store should consult this written plan. As the organization evolves, these changes should be expressed in the written plan. This plan should include certain basic protocols for keeping consumer information secure and confidential, such as:

• Locking rooms and file cabinets where records are kept;

• Not sharing or openly posting employee passwords in work areas;

• Encrypting sensitive consumer information when it is transmitted electronically via public networks;

• Referring calls or other requests for consumer information to designated individuals who have been trained in how your company safeguards personal data; and

• Reporting suspicious attempts to obtain consumer information to designated personnel.

• Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.

• When consumer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically secure area.

• Where possible, avoid storing sensitive consumer data on a computer with an internet connection.

• Maintain secure backup records and keep archived data secure by storing it offline and in a physically secure area.

• Maintain a careful inventory of your company’s computers and any other equipment on which consumer information may be stored.

• Copiers and fax machines may keep records of all documents which have been copied and faxed. These electronic files should be completely deleted before discarding or returning this equipment.

• When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.

• If you collect information online directly from consumers, make secure transmission automatic. If you must transmit sensitive data by email over the internet, be sure to encrypt the data.

• Dispose of consumer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. This means one must burn, pulverize, or shred papers containing consumer information so that the information cannot be read or reconstructed.

• Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing consumer information.

• Check with software vendors regularly to get and install patches that resolve software vulnerabilities;

• Use anti-virus and anti-spyware software that updates automatically;

• Maintain up-to-date firewalls, particularly if you use a broadband internet connection or allow employees to connect to your network from home or other offsite locations;

• Regularly ensure that ports not used for your business are closed; and

• Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.

• Keep logs of activity on your network and monitor them for signs of unauthorized access to consumer information;

• Use an up-to-date intrusion detection system to alert you of attacks;

• Monitor both in- and outbound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and

• Insert a dummy account into each of your consumer lists and monitor the account to detect any unauthorized contacts or charges.

Should a breach occur in spite of your best efforts the following steps should be implemented:

• Take immediate action to secure any information that has or may have been compromised.

• Preserve and review files or programs that may reveal how the breach occurred; and

• If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.

• Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;

• Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;

• Notify the credit bureaus and other businesses that may be affected by the breach.

• Check to see if breach notification is required under applicable state law.

Compliance Questions Explained

The Federal Trade Commission (FTC) enforces the Privacy Rule and Safeguards Rule against franchise dealers. Its regulatory penalty for violations is $41,484 per day. Certain independent and BHPH dealers will be disciplined by the CFPB.

These two rules don’t specifically allow for individual claims. However, this is not a problem for plaintiffs since violating the GLBA is considered a violation of the state’s Unfair and Deceptive Trade Practices Act (UDAP) which means both state attorneys general and consumers can file lawsuits for these types of violations. In the state of Illinois, for example, the UDAP statutory damage amount is $50,000 per incident.

Furthermore, common law also provides a cause of action, should a dealership and F&I manager fail to carefully safeguard consumers’ NPI. This legal theory is the tort of negligence. A negligence claim has these elements:

1. The defendant (dealer and/or F&I manager) has a duty to the consumer to keep the data secure;

2. The defendant breached this data security duty;

3. This breach was the cause of the consumer’s injury; and

4. The consumer suffered damages because of the defendant’s breach of its data security duty.

Finally, many contracts include language which addresses the privacy and safeguards of consumer data. If such a contract is materially breached consumers can sue the dealer and you.

The privacy and safeguarding of a consumer’s data is a solemn responsibility. Dealers and all dealer employees need to be cognizant of these responsibilities.

Govern yourselves accordingly.