CUSTOMER INFORMATION

1
CUSTOMER INFORMATION SAFEGUARDING RULES
2
Consumer Facts

• Identity theft hit the 10 million mark during
  2003.
• It takes consumers 14 - 18 months to clear their
  name.
• It costs the average consumer around 850.
• Non-public information must be safeguarded.
• Fines for not being compliant can be in the
  millions.
• Employees must adhere to the policies
  established.

3
Recent Articles and Topics

• Your phone number, credit card number, Social
  Security number, debit card number and PIN. They
  may even know your mothers maiden name. And
  theyll sell it all for the price of a movie
  ticket. the newest generation of identity
  brokers, thousands of criminals involved in some
  of the most brazen electronic attacks
  onconsumers in recent yearscosting businesses
  nearly 50 billion.
• Dallas Morning News September 25,2004
• The FTC has established a consumer web-site
  titled Facts for Consumers When Bad Things
  Happen to Your Good Name. This site is an
  educational site for consumers to discover how to
  protect their identity and what to do if they
  experience a loss. The FTC also offers a
  Complaint Input Form for consumers to e-mail
  them direct if they have experienced identity
  theft. The form contains a section called
  Problems with Companies asking, among other
  things, the consumer to identify the company by
  name, address and telephone number.
• FTC web site http//www.ftc.gov/bcp/conline/
  pubs/idtheft.htm
• A web search on Yahoo found 407314 identity
  theft topics.
• A car salesman has been arrested and charged in
  a widespread identity theft scheme that netted
  more than 400,000 in personal propertyincluding
  a 2004 Harley Davidsonpurchased utilizing stolen
  identity.
• The Associated Press August 1, 2004

4
CUSTOMER INFORMATION SAFEGUARDING RULES

• The Privacy Act and the Safeguarding Rule are
  both part of the requirements under the
  Gramm-Leach-Bliley Act.
• The Privacy Act deals with how you share your
  customers non-public information you obtain.
  The final date for dealers to be compliant with
  the Privacy Act was July 1, 2001.
• The Customer Information Safeguarding Rule deals
  with how you protect your consumers non-public
  information you obtain. The final date for
  dealers to be compliant with the Safeguarding
  Rule was May 23, 2003.

5
Non-Public Information

• Credit Applications
• Telephone Numbers (Unlisted)
• Social Security Numbers
• Address
• Date of Birth
• Job and income
• Credit Bureau information
• Credit card numbers
• Credit limits and balances
• All account information
• Drivers License number
• Checking account number
• Insurance policy number

6
The Federal Trade Commission says

• each business must designate a Program
  Coordinator to oversee its Safeguarding efforts
• the Program Coordinator should have an above
  average level of expertise in each of the
  operational areas of the business
• the Program Coordinator must oversee a thorough
  risk assessment of the business
• each business must develop its own
  comprehensive Written Information Security
  Program specific to its activities (the FTC is
  clear in their opinion that each business will be
  different than the next, even for multiple point
  operations one document will not be sufficient
  for all stores)
• the Program Coordinator must have the authority
  to inspect the business compliance status through
  an audit process
• the audit process is to be conducted on a
  periodic basis and should include the ability to
  discipline employeesup to and including
  termination
• the Program Coordinator needs to have direct
  access to the business owner and hold periodic
  meetings to identify and correct issues and
  problems discovered during the inspections
• all computers within the business must be
  equipped with an up-to-date and efficient
  anti-virus software and firewall protection
  program
• all computers within the business must be
  equipped with a screen saver login protected
  software package
• each computer user within the business must use
  a strong complex password for the login process
  (the FTC used an eight 8 alpha numeric digit
  password with at least one (1) CAPITALIZED
  letter and one (1) unknown digit such as an -_at_
  as an example of a strong password)
• each business is required to take reasonable
  steps to ensure that each of its selected
  vendors has the ability to adequately safeguard
  consumer non-public personal information
• vendor agreements must contain a contractual
  obligation for the vendor to maintain adequate
  safeguarding provisions to protect your clients
  identity

7
FTC Penalties and Fines

• To review, the penalty for non-compliance is
  calculated as follows
• The FTC pays you a visit
• They find 3 customer files not properly secured
• The files are dated from 10 days ago
• The fine would be..
• 3 x 11,000 33,000 x 10 days 330,000
• The FTC would then ask to see your Written
  Information Security Program and Program
  Coordinator
• If the FTC is not satisfied with your effort to
  secure your consumer information they could
  assume that you have never been in compliance and
  the fine would be recalculated based on the
  following
• 3 x 11,000 33,000 x 505 days (May 23,
  2003) 16,665,000

8
STEPS TO COMPLIANCE

• STEP 1 Get started Do something
• STEP 2 Read and understand the Safeguarding Rule
• STEP 3 Assign a qualified Program Coordinator
• STEP 4 Empower the Program Coordinator with
  authority
• STEP 5 You must make sure that ALL employees
  fully cooperate with the Program Coordinator
• STEP 6 Write your Information Security Program
  based on your individual risk assessment
• STEP 7 Publish your Written Information Security
  Program to the appropriate parties
• STEP 8 Train all employees to understand your
  Written Information Security Program
• STEP 9 Incorporate your Safeguarding Rules into
  your Routing Process document
• STEP 10 Review all of your Vendors to ensure
  that they are in compliance

9
THE FIVE STEPS

• TRAINING Every employee is required to take a
  Safeguarding Rules training course. The course
  should be your Written Information Security
  Program broken down by departments. Each employee
  must pass the test each year or as changes occur.
  
• PROGRAM COORDINATOR You must select the proper
  individual to assume the duties of the Program
  Coordinator. Your Program Coordinator must be an
  individual that is willing and able to lead the
  charge for change.
• WRITTEN INFORMATION SAFEGUARDING RULES Your
  Program Coordinator must establish your Written
  Information Security Program unique to your
  dealership. This is accomplished primarily by
  Blueprinting your existing dealership
  operations and current layouts.
• AUDITS AND INSPECTIONS Periodic inspections and
  audits are required to ensure that the changes
  identified are being implemented and followed.
  The Program Coordinator must establish a routine
  inspection check sheet that reflects your new
  processes. Changes to your existing Written
  Information Security Program should be based on
  the results or your audits.
• MAINTENANCE AND FOLLOW UP Your program must
  change as litigation changes the interpretation
  of the Safeguarding Rules. Several states are
  currently reviewing the need for separate state
  issued regulations. The state of California has
  already approved a separate state law aimed at
  Privacy issues. Your information and program
  needs to be monitored and kept up-to-date as the
  Safeguarding Rule is altered and changed on
  Federal and State levels.

10
AUDIT

• Non-public Customer Information
• Employees have a good understanding of what
  information needs to be safeguarded
• The majority of employees state that they
  understand the importance of safeguarding
• Program Coordinator
• Many dealerships have yet to assign a Program
  Coordinator
• Program Coordinators have stated that they really
  dont have time for this
• Written Information Security Program
• Most dealerships do not have a unique program
  written
• Many written programs are not specific and are
  too generic in nature
• Inspections and Audits
• Very few dealerships have completed any type of
  audit
• Very few changes have been made based on the
  results of those audits
• FTC Penalties and Fines
• The potential for heavy fines does not seem to be
  a valid reason to comply

11
MORE SPECIFICALLY

• Social Security numbers were easily found in all
  sales areas in all stores visited
• Copies of drivers license, with social security
  numbers, easily found
• Credit applications in the possession of the
  sales team and out in the open
• Customer worksheets that include social security
  numbers and date of births
• Full deals located and stored at sales desks
• We were able to pick up several deals and walk
  out of the building
• Signs labeled Do Not Enter Employees Only
  Customer Non-Public Information
• Social Security Numbers hand written on Repair
  Orders
• Service Technicians and Service Writers Social
  Security numbers printed on R.O.s
• Employee Applications left out in the open
• Employee paychecks left out in the open
• Dead files stored on the floor behind sales and
  FI desks
• FI offices left unattended and open for extended
  periods of time
• Vendors and wholesalers walking through the
  General Office areas
• Customer Credit Bureaus printed on printers
  located in the middle of the showroom floor
• Credit card machines that print full customer
  account numbers
• FI Managers leaving pending deals on their desk
  throughout the night
• FI Managers leaving their desk with a client in
  their office and deals out in the open
• Locks on the FI Managers office door with all
  sales persons walking in and out at will

12
Program Coordinator

• The position of Program Coordinator should be
  assigned based on a person, not a position
• Your Program Coordinator should possess the
  following characteristics
• Extreme loyalty to your dealership and its owner
• A military background is helpful
• Someone you can hold accountable
• Someone not easily intimidated
• Someone who does not mind being a tattle tale
• A person who will force the issues for resolution
• A person who will support the effort to change

13
Written Information Security Program

• All programs must be written based on your
  dealerships unique business structure
• Multiple locations must have its own unique
  program
• The Program Coordinator is responsible for the
  program
• All employees must be trained based on their job
  title
• Awareness must be maintained by upper management
  to ensure that change occurs
• Periodic changes are recommended based on your
  needs

14
Inspections and Audits

• Your Program Coordinator should be responsible
  for all inspection and audit activities
• Inspections and audits should be performed often
  and without notice
• The Program Coordinator must hold meetings with
  the decision makers to discuss the audit results
  and to make changes as needed
• You must be willing to take discipline action, up
  to and including termination, if employees refuse
  to change to comply with your requirements
• Audit frequency should be based on the results of
  your inspections

15
Hiring Practices

• Identity theft by employees is increasing at an
  alarming rate.
• Employees who have access to your customer
  information, are selling the information to
  thieves.
• Business owners can be held liable for hiring
  employees with a background in crime.
• If you are considering hiring an individual with
  a criminal background, please use logic other
  than They can sell cars.
• We strongly recommend every business complete a
  background check prior to offering an individual
  a job.
• One source is www.publicdata.com.

16
THREE PLACES INFORMATION IS CONSIDERED SAFE

• IN YOUR HAND
• IN A LOCKED DESK DRAWER OR FILE
• IN YOUR COMPUTER SCREEN IF YOUR COMPUTER IS
  PROPERLY PROTECTED
• IN never OUT

17
Why Should You Comply?

• Its the Law?
• The FTC fines and penalties are expensive?
• You have nothing better to do?
• MOTTO
• Conducting business the right way
• even when no one else is looking!

18
COMPLIANCE

• Building and supporting a system or a change that
  promotes company wide compliance is costly
• Ignoring todays compliance requirements CAN be
  devastating!