The Safeguards Rule: Does It Make Your Dealership Feel Safe?

Keith Whann
The Car Counselor

The FTC’s Privacy Rule became effective in 2001 and the Safeguards Rule in 2003.  By now, you would think the motor vehicle industry would have a pretty good understanding of how to comply with these Regulations.  However, as I have traveled the United States speaking at various NIADA and State Affiliate Conventions and meetings, I am often reminded that this is not the case.  It likely has as much to do with the complexity of the FTC’s Privacy and Safeguards Rules as it does the number of other Privacy related Rules and Regulations that are being adopted.  In an attempt to make your dealership feel safe, we will draw a simple roadmap to help dealers maneuver through the Safeguards Rule requirements.
 
The FTC’s Safeguards Rule did not change the dealership’s obligations under the FTC’s Privacy Rule.  Motor vehicle dealerships are required to provide their customers with a Privacy Notice that advises the customer about the types of information the dealership collects, the sources from which the information may be obtained, and the dealership’s policies with respect to sharing that information.  In order to fully comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule, motor vehicle dealers are also required to make a statement about their information safeguarding practices in their Privacy Notices.  As a result, most dealership Privacy Notices state “we maintain physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”.  Pursuant to the Safeguards Rule, dealers must also have a written document that specifies the steps they have taken to assess the types of risks that exist with respect to the information being obtained by unauthorized individuals and to protect the confidentiality and security of such information. 

The FTC’s Safeguards Rule specifically requires every dealer, regardless of the size of his dealership, to develop, implement and maintain a comprehensive written information security plan that describes the dealership’s program to protect customer information.  The Dealership must: (1) Designate an employee or employees to coordinate the safeguards program; (2) Identify and assess the risks to customer information in each relevant area of the dealership’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; (3) Design and implement a safeguards program, and regularly monitor and test it; (4) Select service providers capable of maintaining appropriate safeguards for the customer information the dealership shares and require them to agree contractually to do so; and (5) Evaluate and adjust the program as appropriate.

The FTC developed flexible rules to permit each dealership to develop privacy policies and information security standards taking into consideration the dealership’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects.  Like the Privacy Rule, the Safeguards Rule applies only to transactions involving persons who obtain a financial product or service from the dealership primarily for personal, family or household purposes.  Although it is a good idea to apply the same privacy policies and information security standards to all of the information collected by the dealership, it is not required for information about companies or individuals who obtain financial products or services for business, commercial or agricultural purposes, unless the dealership’s Privacy Notice states otherwise.

In September of 2003, the FTC began serving formal investigative requests on motor vehicle dealerships asking for evidence of compliance, including: A description of the type of information collected from or about customers and a sample copy of each form used to collect information; a copy of the written information security program and the time period during which it was written and implemented; a description of the security risks that were identified in developing the plan and how the final plan addresses each of the risks; the name and title of employees responsible for coordinating the safeguards plan; and the name of each service provider together with information regarding the types of customer information they have access to, the manner and form of access, the reasons for access, a copy of the contract requiring them to implement and maintain security safeguards, and an explanation of how the dealership confirms that safeguards have been implemented and are maintained.  As a reminder, the penalty for noncompliance is $11,000 per day. 

With these monetary amounts at stake and privacy being on the top of Federal and State Regulators’ agendas, we anticipate that the FTC has only just begun its enforcement of this and other Privacy Rules.  Dealers are well advised to consider other Privacy Laws that have recently been enacted or are under consideration.  For example, On December 4, 2003, President Bush signed into law the Fair and Accurate Credit Transactions Act (FACT Act) in an attempt to reduce the risk of consumer fraud and related crimes, including identity theft, and to assist any victims.  The FTC has already begun adopting Regulations to enforce the Act, including a “Disposal Rule” that implements Section 216 of the Act.

Section 216 requires the FTC, in coordination with the Federal Banking Agencies, the National Credit Union Administration (NCUA), and the Securities and Exchange Commission (SEC), to issue regulations requiring “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.”  The stated purpose of this Section is to prevent unauthorized disclosure of consumer information and to reduce the risk of fraud or related crimes, including identity theft, by ensuring that records containing sensitive financial or personal information are appropriately redacted or destroyed before being discarded. The FTC’s Proposed Disposal Rule would require that any person that maintains or otherwise possesses consumer information “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”   Like the Safeguards Rule, it provides covered entities flexibility to make decisions taking into consideration their size, the sensitivity of the consumer information collected, the nature and size of their operations, and the costs and benefits of different disposal methods. Unless extended by the FTC, dealers will only have 3 months after publication of the Final Rule to become compliant.

Privacy is a constantly changing area of the law that will continue to impact a dealership’s policies, practices and operational procedures.  It is also at the top of Regulators’ enforcement agendas and a hot button for consumer attorneys. Therefore, when it comes to privacy issues, an ounce of prevention may be worth more than a pound of cure!

Print This Post Print This Post

bottomrule