It’s Time For An Identity Theft Audit

The Company has a privacy notice form.

Those customers who buy and finance a vehicle or lease a vehicle sign the privacy notice.

Copies of privacy notices are maintained in deal files.

The Company has established a written information safeguards plan.

The dealer has designated an employee as the information security coordinator.

The Company has done an assessment of the risks of misuse of customer information, and the company regularly reviews and updates its Information Safeguards program.

The dealer regularly evaluates its process of electronically receiving and sending customer information.

All employees have signed an acknowledgment of their obligations under the Information Safeguards Policy of the dealership.

The FTC Privacy Rule requires that a notification be given to each customer who does a finance or lease transaction. The notification must be written and must inform a customer of the uses by the dealership of the customer’s information and of the customer’s rights. The notice must include, where appropriate, the customer’s right to opt out of release of the customer’s information for purposes other than those specifically allowed by law. We have always recommended that dealers avoid the necessity of adopting complicated opt out processes by adopting a policy that the dealership will only use and release customer information in ways that are specifically permitted by law without triggering customers’ rights to opt out.

The Privacy Rule requires delivery of the privacy notice. Customers do not have to sign the privacy notice, by law. However, it is a best practice to request signature so that the dealership can prove that the privacy notice was delivered. Sometimes customers will refuse to sign the privacy notice and will demand changes. Never change the privacy notice. It is a notice; it is not an agreement. It simply notifies customers of the dealer’s policy. Any changes creating inconsistent policies will severely complicate compliance. If a customer will not sign, then note on the form that the customer would not sign, hand a copy to the customer, and put a copy in the appropriate file with the notation. If the customer will not accept the copy, note that on the document and put it in the customer’s file.

The notice must be delivered in each finance or lease transaction. (The Rule also requires delivery in insurance transactions, but that seldom occurs in a dealership unless there is a finance or lease deal.) Some dealers choose to give privacy notices to all customers. Whether the privacy notices are given only to those required by the Rule, or to all customers, make sure a copy is maintained in the customer’s deal file. For those customers who do not buy who are given a privacy notice, it is a best practice to keep a copy with the credit application signed by the customer.

Dealers who do buy here/pay here programs or who hold in house leases (as well as dealers who hold any other sort of in house finance agreements) must annually notify those customers of the dealership’s privacy policy.

Dealers were required to adopt and implement an information safeguard policy no later than May 23, 2003. The FTC is regularly investigating dealers and others to insure that this has been done. If your dealership has not adopted a plan, do so immediately.

The Rule requires an Information Safeguard Coordinator. That safeguard coordinator must be an employee of the dealership. The obligations of the coordinator can be delegated to others who need not be employees. However, the person in charge of the Information Safeguards Program in the dealership to whom people can direct questions must be a dealership employee. 

At the time the dealership adopted its Information Safeguard Plan, an identification and assessment of the risks was required. It is important to the effectiveness of the plan that this step was taken and that evidence of the assessment was kept. Make sure the initial assessment is maintained in the dealership’s records. The Rule requires that a safeguard plan be regularly evaluated and amended to insure its effectiveness. There should be a schedule of regular evaluations at least annually and preferably semi-annually. All assessments and changes must be documented. Do not discard prior versions of the plan once the plan is amended. Keep a running history of evaluations and changes in the event the dealership is ever asked to show that it complies with the Information Safeguard Rule’s requirements.

The FTC has an ongoing requirement to report compliance with the Information Safeguards Rule to Congress. In connection with this obligation, it regularly investigates companies, including auto dealerships. One of the key elements the FTC investigates is the electronic processes that dealers use for transmitting and receiving customer information. All customer information should be received securely whether it comes in through email or the internet. All information should be transmitted securely whether it is by internet or another contact means. Regular and continued work with the dealership’s IT vendor is necessary to be sure that protection of information transmission is state of the art. 

Employees throughout the dealership should know of the dealership’s policies and procedures to protect customer information. It does no good to adopt a plan in which the employees are not trained. All employees should be trained on the Information Safeguard plan and sign acknowledgments of their obligations. 

The Company has a privacy notice form.

Those customers who buy and finance a vehicle or lease a vehicle sign the privacy notice.

Copies of privacy notices are maintained in deal files.

The Company has established a written information safeguards plan.

The dealer has designated an employee as the information security coordinator.

The Company has done an assessment of the risks of misuse of customer information, and the company regularly reviews and updates its Information Safeguards program.

The dealer regularly evaluates its process of electronically receiving and sending customer information.

All employees have signed an acknowledgment of their obligations under the Information Safeguards Policy of the dealership.

The FTC Privacy Rule requires that a notification be given to each customer who does a finance or lease transaction. The notification must be written and must inform a customer of the uses by the dealership of the customer’s information and of the customer’s rights. The notice must include, where appropriate, the customer’s right to opt out of release of the customer’s information for purposes other than those specifically allowed by law. We have always recommended that dealers avoid the necessity of adopting complicated opt out processes by adopting a policy that the dealership will only use and release customer information in ways that are specifically permitted by law without triggering customers’ rights to opt out.

The Privacy Rule requires delivery of the privacy notice. Customers do not have to sign the privacy notice, by law. However, it is a best practice to request signature so that the dealership can prove that the privacy notice was delivered. Sometimes customers will refuse to sign the privacy notice and will demand changes. Never change the privacy notice. It is a notice; it is not an agreement. It simply notifies customers of the dealer’s policy. Any changes creating inconsistent policies will severely complicate compliance. If a customer will not sign, then note on the form that the customer would not sign, hand a copy to the customer, and put a copy in the appropriate file with the notation. If the customer will not accept the copy, note that on the document and put it in the customer’s file.

The notice must be delivered in each finance or lease transaction. (The Rule also requires delivery in insurance transactions, but that seldom occurs in a dealership unless there is a finance or lease deal.) Some dealers choose to give privacy notices to all customers. Whether the privacy notices are given only to those required by the Rule, or to all customers, make sure a copy is maintained in the customer’s deal file. For those customers who do not buy who are given a privacy notice, it is a best practice to keep a copy with the credit application signed by the customer.

Dealers who do buy here/pay here programs or who hold in house leases (as well as dealers who hold any other sort of in house finance agreements) must annually notify those customers of the dealership’s privacy policy.

Dealers were required to adopt and implement an information safeguard policy no later than May 23, 2003. The FTC is regularly investigating dealers and others to insure that this has been done. If your dealership has not adopted a plan, do so immediately.

The Rule requires an Information Safeguard Coordinator. That safeguard coordinator must be an employee of the dealership. The obligations of the coordinator can be delegated to others who need not be employees. However, the person in charge of the Information Safeguards Program in the dealership to whom people can direct questions must be a dealership employee. 

At the time the dealership adopted its Information Safeguard Plan, an identification and assessment of the risks was required. It is important to the effectiveness of the plan that this step was taken and that evidence of the assessment was kept. Make sure the initial assessment is maintained in the dealership’s records. The Rule requires that a safeguard plan be regularly evaluated and amended to insure its effectiveness. There should be a schedule of regular evaluations at least annually and preferably semi-annually. All assessments and changes must be documented. Do not discard prior versions of the plan once the plan is amended. Keep a running history of evaluations and changes in the event the dealership is ever asked to show that it complies with the Information Safeguard Rule’s requirements.

The FTC has an ongoing requirement to report compliance with the Information Safeguards Rule to Congress. In connection with this obligation, it regularly investigates companies, including auto dealerships. One of the key elements the FTC investigates is the electronic processes that dealers use for transmitting and receiving customer information. All customer information should be received securely whether it comes in through email or the internet. All information should be transmitted securely whether it is by internet or another contact means. Regular and continued work with the dealership’s IT vendor is necessary to be sure that protection of information transmission is state of the art. 

Employees throughout the dealership should know of the dealership’s policies and procedures to protect customer information. It does no good to adopt a plan in which the employees are not trained. All employees should be trained on the Information Safeguard plan and sign acknowledgments of their obligations.