Recently, the Federal Trade Commission and the Internal Revenue Service have begun targeting automotive and powersports dealerships for inspection with regards to the Safeguards Rule. With the federal government hungry for new sources of revenue, it is much easier to impose and collect fines than struggle to increase taxes. Understand, fines for non-compliance can reach $11,000 per occurrence. That means for each credit application you leave unsecured you could be fined $11,000.
The FTC has issued the final Safeguards Rule to establish standards relating to administrative, technical and physical information safeguards for institutions. The standards of the Safeguards Rule are intended to: ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such customer records and protect against unauthorized access to or use of such records or information that could result in harm or inconvenience to any customer.
The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size, the nature and scope of its activities and the sensitivity of the customer information it handles.
As part of its plan, each company must: designate one or more employee to coordinate its information security program; identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program and regularly monitor and test it; select service providers that can maintain appropriate safeguards (make sure your contract requires them to maintain safeguards and oversee their handling of customer information); and evaluate and adjust the program in light of relevant circumstances, including changes in business or operations, or the results of security testing and monitoring.
The success of your information security plan depends largely on the employees who implement it.
Here are a few things to consider: checking references or doing background checks before hiring employees who will have access to customer information; asking every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information; limiting access to customer information to employees who have a business reason to see it; controlling access to sensitive information by requiring employees to use passwords that must be changed on a regular basis; using password-activated screensavers to lock employee computers after a period of inactivity; developing policies for appropriate use and protection of laptops, cell phones and other mobile devices; and preventing terminated employees from accessing customer information by immediately deactivating their passwords and user IDs. Also, train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, including: locking rooms and file cabinets, not sharing or openly posting employee passwords, encrypting sensitive customer information when it is transmitted electronically via public networks and reporting suspicious attempts to obtain customer information.
Here are some suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal: know where sensitive customer information is stored and store it securely; make sure only authorized employees have access; ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods; store records in a room or cabinet that is locked when unattended; when customer information is stored on a server or other computer, ensure that the computer is accessible only with a strong password and is kept in a physically-secure area; where possible, avoid storing sensitive customer data on a computer with an Internet connection; maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area; maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
If a breach occurs: take immediate action to secure any information that has or may have been compromised; preserve and review files or programs that may reveal how the breach occurred; if feasible and appropriate, bring in security professionals to help assess the breach as soon as possible; notify customers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm; notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm; notify the credit bureaus and other businesses that may be affected by the breach; and check to see if the breach notification is required under applicable state law.
Peter Jones is an industry trainer and consultant as well as founder of Peter Jones Powersports and can be reached at firstname.lastname@example.org or 904/742-3080.