Preventing Data Leakage
We have written about the increased government scrutiny of data protection by businesses. Dealers should recognize this, and they should make data protection a priority.
The FTC has been emphasizing the importance of data protection for nearly two decades. On July 24, the Commission sent its strongest message ever. It announced an agreement with Facebook to settle a threatened FTC lawsuit that involved the highest civil penalty ever imposed — $5 billion (and yes, that is “billion” with a “B”). The complaint released by the FTC charged that Facebook had violated a 2012 consent order that prevented the company from misrepresenting to consumers its data collection, sharing, and security practices. The Commission charged that Facebook did not comply with a requirement that it implement and maintain a reasonable data privacy program.
Besides the whopping civil penalty, Facebook agreed to complex and expensive oversight procedures for data privacy. It also agreed to specific data protection procedures.
On the same day, the Securities and Exchange Commission issued its own agreement with Facebook. In it, the SEC charged that Facebook misstated in its public filings the potential risk of data misuse when it knew that a company with which Facebook shared data had already misused it. The SEC imposed a $100 million civil penalty, and it permanently enjoined Facebook from similar future violations.
The sheer dollar volume of these penalties should give any business that collects consumer data pause. Not that a motor vehicle dealership will be looking at a civil penalty anything close to what Facebook has paid, but the remedy clarifies the FTC’s intent to impose pain on those careless with consumers’ data.
One message of the FTC’s record monetary imposition because of the violation of an order about its duties to consumers is clear – do not misrepresent to consumers how you will store and how you will use their data.
There is no hotter issue for those that collect customer data, like motor vehicle dealerships, than data protection. Not only is the federal government making this a priority, states are getting into the act. California passed a comprehensive data protection statute that California motor vehicle dealers are struggling to understand before its effective date at the beginning of 2020. States around the country are considering legislation similar to the California requirements. Data protection must be top of mind for all dealers.
In last month’s newsletter, we spoke about reviewing the dealership’s policy for compliance with the FTC’s Information Safeguards Rule to make sure it is up to date and in effect, including an audit to be sure the policy’s safeguards are in place.
This month, we want to caution you about “data leakage."
As we mentioned, a critical aspect of the Facebook settlements with the Securities and Exchange Commission, was lack of candor about misuse of data by a company with which Facebook shared information. This is an issue to which a motor vehicle dealer must give attention. Under the dealership’s information safeguards program, there must be a policy of ensuring that those with whom the dealership shares customer data have in place safeguards consistent with the FTC Rule. Too often, however, agreements with suppliers are silent on safeguards, or they contain requirements that the dealer safeguard information with no reference to the supplier’s obligations. Every agreement a dealer signs with a supplier that may have access to customer information stored by a dealer must contain a requirement that the supplier have procedures in place to comply with the FTC Information Safeguards Rule. A dealer should take particular care to also include provisions that the dealer owns its data, the supplier takes no ownership interest in the data, the supplier can use the data only to serve the dealership under the agreement, and the supplier cannot use the data to serve its other customers or for its own purposes. A dealer should also do due diligence about a supplier. Is the supplier a shell where the dealer can impose no meaningful liability for a breach? Or is the supplier a substantial company where a monetary judgment can have a significant impact?
Data leakage is also a significant problem with employees, particularly those who leave the employment of the dealership. Before 2003, it was common for dealers to train salespeople they had to develop customers, treat them as their own, and keep their information for future sales purposes. The promulgation of the FTC Information Safeguards Rule changed that. Under the Information Safeguards Rule, a business must maintain the confidentiality of non-public personal information of consumers. That means a dealer must own its customer data and protect that from misuse. Customer data is no longer something that dealership salespeople can consider their own.
Ask yourself what you are doing to protect customer data. Is your Information Safeguards program being enforced to ensure that customer information remains with the dealership? That is especially crucial if an employee quits or is terminated.
Is an ex-employee walking off with non-public personal information of customers to use at a new job? Are they treating your data as theirs so they can solicit customers on behalf of their new dealership employer? Consider having in place a confidentiality and non-solicitation provision in pay plans that salespeople sign. That should cover:
- all customer data belongs to the dealership and it may not be taken and used by the employee;
- it may not be shared with anyone;
- any direct solicitation of customers following the salesperson’s employment is prohibited and will be evidence of misuse of customer data;
- create protection against data leakage through other ex-employees by preventing solicitation and hiring of employees; and
- put in place a remedy.
What remedy? Using a liquidated damage provision for breach may scare off some potential employees. Instead, consider having the employee agree that injunctive relief is appropriate, without a surety bond (meaning that the dealership will not have to post a bond in connection with any injunction to protect the ex-employee from damages).
Over the years, we have reminded that the customer base of a dealership is its second most valuable asset after its franchise. Preventing data leakage is critical to dealership loss control efforts.