CUSTOMER INFORMATIONCUSTOMER INFORMATIONSAFEGUARDING RULESSAFEGUARDING RULES

Consumer FactsConsumer Facts

Identity theft hit the 10 million mark during 2003.

It takes consumers 14 - 18 months to clear their name.

It costs the average consumer around $850.

Non-public information must be safeguarded.

Fines for not being compliant can be in the millions.

Employees must adhere to the policies established.

Recent Articles and TopicsRecent Articles and Topics“Your phone number, credit card number, Social Security number, debit card number and PIN. They may even know your mother’s maiden name. And they’ll sell it all for the price of a movie ticket. …the newest generation of identity brokers, thousands of criminals involved in some of the most brazen electronic attacks on…consumers in recent years…costing businesses nearly $50 billion.”

Dallas Morning News September 25,2004

The FTC has established a consumer web-site titled “Facts for Consumers: When Bad Things Happen to Your Good Name”. This site is an educational site for consumers to discover how to protect their identity and what to do if they experience a loss. The FTC also offers a “Complaint Input Form” for consumers to e-mail them direct if they have experienced identity theft. The form contains a section called “Problems with Companies” asking, among other things, the consumer to identify the company by name, address and telephone number.

FTC web site: http://www.ftc.gov/bcp/conline/pubs/idtheft.htm

A web search on Yahoo found 407314 identity theft topics.

“A car salesman has been arrested and charged in a widespread identity theft scheme that netted more than $400,000 in personal property…including a 2004 Harley Davidson…purchased utilizing stolen identity.”

The Associated Press August 1, 2004

CUSTOMER INFORMATION CUSTOMER INFORMATION SAFEGUARDING RULESSAFEGUARDING RULES

The Privacy Act and the Safeguarding Rule are both part of the requirements under the Gramm-Leach-Bliley Act.

The Privacy Act deals with how you shareshare your customer’s non-public information you obtain. The final date for dealers to be compliant with the Privacy Act was July 1, 2001.

The Customer Information Safeguarding Rule deals with how you protectprotect your consumer’s non-public information you obtain. The final date for dealers to be compliant with the Safeguarding Rule waswas May 23, 2003.

Non-Public Information• Credit Applications

• Telephone Numbers (Unlisted) • Social Security Numbers• Address• Date of Birth• Job and income

• Credit Bureau information• Credit card numbers• Credit limits and balances• All account information

• Driver’s License number• Checking account number• Insurance policy number

The Federal Trade Commission says……each business must designate a Program Coordinator to oversee it’s Safeguarding efforts…the Program Coordinator should have an above average level of expertise in each of the

operational areas of the business…the Program Coordinator must oversee a thorough risk assessment of the business…each business must develop it’s own comprehensive Written Information Security Program

specific to it’s activities (the FTC is clear in their opinion that each business will be different than the next, even for multiple point operations – one document will not be sufficient for all stores)

…the Program Coordinator must have the authority to inspect the business compliance status through an audit process

…the audit process is to be conducted on a periodic basis and should include the ability to discipline employees…up to and including termination

…the Program Coordinator needs to have direct access to the business owner and hold periodic meetings to identify and correct issues and problems discovered during the inspections

…all computers within the business must be equipped with an up-to-date and efficient anti-virus software and firewall protection program

…all computers within the business must be equipped with a screen saver login protected software package

…each computer user within the business must use a strong complex password for the login process (the FTC used an eight 8 alpha numeric digit password with at least one (1) CAPITALIZED letter and one (1) unknown digit such as an *-&#@ as an example of a “strong” password)

…each business is required to take reasonable steps to ensure that each of it’s selected vendors has the ability to adequately safeguard consumer non-public personal information

…vendor agreements must contain a contractual obligation for the vendor to maintain adequate safeguarding provisions to protect your clients identity

FTC Penalties and FinesFTC Penalties and FinesTo review, the penalty for non-compliance is calculated as follows:

The FTC pays you a visitThey find 3 customer files not properly securedThe files are dated from 10 days agoThe fine would be..

…3 x $11,000 = $33,000 x 10 days = $330,000

The FTC would then ask to see your Written Information Security Program and Program Coordinator

If the FTC is not satisfied with your effort to secure your consumer information they could assume that you have never been in compliance and the fine would

be recalculated based on the following:

…3 x $11,000 = $33,000 x 505 days (May 23, 2003) = $16,665,000

STEPS TO COMPLIANCESTEP 1: Get started – Do something

STEP 2: Read and understand the Safeguarding Rule

STEP 3: Assign a qualified Program Coordinator

STEP 4: Empower the Program Coordinator with authority

STEP 5: You must make sure that ALL employees fully cooperate with the Program Coordinator

STEP 6: Write your Information Security Program based on your individual risk assessment

STEP 7: Publish your Written Information Security Program to the appropriate parties

STEP 8: Train all employees to understand your Written Information Security Program

STEP 9: Incorporate your Safeguarding Rules into your Routing Process document

STEP 10: Review all of your Vendors to ensure that they are in compliance

STEP 11: Review all computers to ensure that they meet the Safeguarding standards

STEP 12: Establish a structured audit routine with your Program Coordinator

STEP 13: Meet with your Program Coordinator on a regular basis to discuss issues

STEP 14: Amend your program as needed

STEP 15: Train all new employees, re-train every year or whenever you amend your program

STEP 16: Document all training

THE FIVE STEPSTHE FIVE STEPS• TRAINING: Every employee is required to take a Safeguarding Rules training course. The

course should be your Written Information Security Program broken down by departments. Each employee must pass the test each year or as changes occur.

• PROGRAM COORDINATOR: You must select the proper individual to assume the duties of the Program Coordinator. Your Program Coordinator must be an individual that is willing and able to “lead the charge” for change.

• WRITTEN INFORMATION SAFEGUARDING RULES: Your Program Coordinator must establish your Written Information Security Program unique to your dealership. This is accomplished primarily by “Blueprinting” your existing dealership operations and current layouts.

• AUDITS AND INSPECTIONS: Periodic inspections and audits are required to ensure that the changes identified are being implemented and followed. The Program Coordinator must establish a routine inspection check sheet that reflects your new processes. Changes to your existing Written Information Security Program should be based on the results or your audits.

• MAINTENANCE AND FOLLOW UP: Your program must change as litigation changes the interpretation of the Safeguarding Rules. Several states are currently reviewing the need for separate state issued regulations. The state of California has already approved a separate state law aimed at Privacy issues. Your information and program needs to be monitored and kept up-to-date as the Safeguarding Rule is altered and changed on Federal and State levels.

AUDITAUDIT• Non-public Customer Information

• Employees have a good understanding of what information needs to be safeguarded• The majority of employees state that they understand the importance of safeguarding

• Program Coordinator• Many dealerships have yet to assign a Program Coordinator• Program Coordinators have stated that they really don’t have time for this

• Written Information Security Program• Most dealerships do not have a unique program written• Many written programs are not specific and are too generic in nature

• Inspections and Audits• Very few dealerships have completed any type of audit• Very few changes have been made based on the results of those audits

• FTC Penalties and Fines• The potential for heavy fines does not seem to be a valid reason to comply

• Key components to comply• Not taken seriously

MORE SPECIFICALLY…MORE SPECIFICALLY…• Social Security numbers were easily found in all sales areas in all stores visited • Copies of driver’s license, with social security numbers, easily found• Credit applications in the possession of the sales team and out in the open• Customer worksheets that include social security numbers and date of births• Full deals located and stored at sales desks• We were able to pick up several deals and walk out of the building• Signs labeled “Do Not Enter – Employees Only – Customer Non-Public Information”• Social Security Numbers hand written on Repair Orders• Service Technicians and Service Writers Social Security numbers printed on R.O.’s• Employee Applications left out in the open• Employee paychecks left out in the open• Dead files stored on the floor behind sales and F&I desks• F&I offices left unattended and open for extended periods of time• Vendors and wholesalers walking through the General Office areas• Customer Credit Bureaus printed on printers located in the middle of the showroom floor • Credit card machines that print full customer account numbers• F&I Managers leaving pending deals on their desk throughout the night• F&I Managers leaving their desk with a client in their office and deals out in the open• Locks on the F&I Managers office door with all sales persons walking in and out at will

Program CoordinatorProgram Coordinator• The position of Program Coordinator should be

assigned based on a person, not a position

• Your Program Coordinator should possess the following characteristics:

• Extreme loyalty to your dealership and it’s owner• A military background is helpful• Someone you can hold accountable• Someone not easily intimidated• Someone who does not mind being a tattle tale• A person who will force the issues for resolution• A person who will support the effort to change

Written Information Written Information Security ProgramSecurity Program

• All programs must be written based on your dealerships unique business structure

• Multiple locations must have it’s own unique program

• The Program Coordinator is responsible for the program

• All employees must be trained based on their job title

• Awareness must be maintained by upper management to ensure that change occurs

• Periodic changes are recommended based on your needs

Inspections and AuditsInspections and Audits• Your Program Coordinator should be responsible for all

inspection and audit activities

• Inspections and audits should be performed often and without notice

• The Program Coordinator must hold meetings with the decision makers to discuss the audit results and to make changes as needed

• You must be willing to take discipline action, up to and including termination, if employees refuse to change to comply with your requirements

• Audit frequency should be based on the results of your inspections

Hiring PracticesHiring Practices

• Identity theft by employees is increasing at an alarming rate.

• Employees who have access to your customer information, are selling the information to thieves.

• Business owners can be held liable for hiring employees with a background in crime.

• If you are considering hiring an individual with a criminal background, please use logic other than “They can sell cars.”

• We strongly recommend every business complete a background check prior to offering an individual a job.

• One source is www.publicdata.com.

THREE PLACES INFORMATION THREE PLACES INFORMATION IS CONSIDERED SAFEIS CONSIDERED SAFE

1. IN YOUR HAND

2. IN A LOCKED DESK DRAWER OR FILE

3. IN YOUR COMPUTER SCREEN IF YOUR COMPUTER IS PROPERLY PROTECTED

IN never OUT

Why Should You Comply?Why Should You Comply?

• It’s the Law?• The FTC fines and penalties are expensive?• You have nothing better to do?

MOTTO:MOTTO:

Conducting business the right way…

… even when no one else is looking!

COMPLIANCECOMPLIANCE

Building and supporting a system or a Building and supporting a system or a change that promotes company wide change that promotes company wide

compliance is costly…compliance is costly…

……Ignoring today’s compliance Ignoring today’s compliance requirements CAN be devastating!requirements CAN be devastating!