CUSTOMER INFORMATION - PowerPoint PPT Presentation

About This Presentation
Title:

CUSTOMER INFORMATION

Description:

customer information safeguarding rules – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 19
Provided by: SteveL198
Category:

less

Transcript and Presenter's Notes

Title: CUSTOMER INFORMATION


1
CUSTOMER INFORMATION SAFEGUARDING RULES
2
Consumer Facts
  • Identity theft hit the 10 million mark during
    2003.
  • It takes consumers 14 - 18 months to clear their
    name.
  • It costs the average consumer around 850.
  • Non-public information must be safeguarded.
  • Fines for not being compliant can be in the
    millions.
  • Employees must adhere to the policies
    established.

3
Recent Articles and Topics
  • Your phone number, credit card number, Social
    Security number, debit card number and PIN. They
    may even know your mothers maiden name. And
    theyll sell it all for the price of a movie
    ticket. the newest generation of identity
    brokers, thousands of criminals involved in some
    of the most brazen electronic attacks
    onconsumers in recent yearscosting businesses
    nearly 50 billion.
  • Dallas Morning News September 25,2004
  • The FTC has established a consumer web-site
    titled Facts for Consumers When Bad Things
    Happen to Your Good Name. This site is an
    educational site for consumers to discover how to
    protect their identity and what to do if they
    experience a loss. The FTC also offers a
    Complaint Input Form for consumers to e-mail
    them direct if they have experienced identity
    theft. The form contains a section called
    Problems with Companies asking, among other
    things, the consumer to identify the company by
    name, address and telephone number.
  • FTC web site http//www.ftc.gov/bcp/conline/
    pubs/idtheft.htm
  • A web search on Yahoo found 407314 identity
    theft topics.
  • A car salesman has been arrested and charged in
    a widespread identity theft scheme that netted
    more than 400,000 in personal propertyincluding
    a 2004 Harley Davidsonpurchased utilizing stolen
    identity.
  • The Associated Press August 1, 2004

4
CUSTOMER INFORMATION SAFEGUARDING RULES
  • The Privacy Act and the Safeguarding Rule are
    both part of the requirements under the
    Gramm-Leach-Bliley Act.
  • The Privacy Act deals with how you share your
    customers non-public information you obtain.
    The final date for dealers to be compliant with
    the Privacy Act was July 1, 2001.
  • The Customer Information Safeguarding Rule deals
    with how you protect your consumers non-public
    information you obtain. The final date for
    dealers to be compliant with the Safeguarding
    Rule was May 23, 2003.

5
Non-Public Information
  • Credit Applications
  • Telephone Numbers (Unlisted)
  • Social Security Numbers
  • Address
  • Date of Birth
  • Job and income
  • Credit Bureau information
  • Credit card numbers
  • Credit limits and balances
  • All account information
  • Drivers License number
  • Checking account number
  • Insurance policy number

6
The Federal Trade Commission says
  • each business must designate a Program
    Coordinator to oversee its Safeguarding efforts
  • the Program Coordinator should have an above
    average level of expertise in each of the
    operational areas of the business
  • the Program Coordinator must oversee a thorough
    risk assessment of the business
  • each business must develop its own
    comprehensive Written Information Security
    Program specific to its activities (the FTC is
    clear in their opinion that each business will be
    different than the next, even for multiple point
    operations one document will not be sufficient
    for all stores)
  • the Program Coordinator must have the authority
    to inspect the business compliance status through
    an audit process
  • the audit process is to be conducted on a
    periodic basis and should include the ability to
    discipline employeesup to and including
    termination
  • the Program Coordinator needs to have direct
    access to the business owner and hold periodic
    meetings to identify and correct issues and
    problems discovered during the inspections
  • all computers within the business must be
    equipped with an up-to-date and efficient
    anti-virus software and firewall protection
    program
  • all computers within the business must be
    equipped with a screen saver login protected
    software package
  • each computer user within the business must use
    a strong complex password for the login process
    (the FTC used an eight 8 alpha numeric digit
    password with at least one (1) CAPITALIZED
    letter and one (1) unknown digit such as an -_at_
    as an example of a strong password)
  • each business is required to take reasonable
    steps to ensure that each of its selected
    vendors has the ability to adequately safeguard
    consumer non-public personal information
  • vendor agreements must contain a contractual
    obligation for the vendor to maintain adequate
    safeguarding provisions to protect your clients
    identity

7
FTC Penalties and Fines
  • To review, the penalty for non-compliance is
    calculated as follows
  • The FTC pays you a visit
  • They find 3 customer files not properly secured
  • The files are dated from 10 days ago
  • The fine would be..
  • 3 x 11,000 33,000 x 10 days 330,000
  • The FTC would then ask to see your Written
    Information Security Program and Program
    Coordinator
  • If the FTC is not satisfied with your effort to
    secure your consumer information they could
    assume that you have never been in compliance and
    the fine would be recalculated based on the
    following
  • 3 x 11,000 33,000 x 505 days (May 23,
    2003) 16,665,000

8
STEPS TO COMPLIANCE
  • STEP 1 Get started Do something
  • STEP 2 Read and understand the Safeguarding Rule
  • STEP 3 Assign a qualified Program Coordinator
  • STEP 4 Empower the Program Coordinator with
    authority
  • STEP 5 You must make sure that ALL employees
    fully cooperate with the Program Coordinator
  • STEP 6 Write your Information Security Program
    based on your individual risk assessment
  • STEP 7 Publish your Written Information Security
    Program to the appropriate parties
  • STEP 8 Train all employees to understand your
    Written Information Security Program
  • STEP 9 Incorporate your Safeguarding Rules into
    your Routing Process document
  • STEP 10 Review all of your Vendors to ensure
    that they are in compliance

9
THE FIVE STEPS
  • TRAINING Every employee is required to take a
    Safeguarding Rules training course. The course
    should be your Written Information Security
    Program broken down by departments. Each employee
    must pass the test each year or as changes occur.
  • PROGRAM COORDINATOR You must select the proper
    individual to assume the duties of the Program
    Coordinator. Your Program Coordinator must be an
    individual that is willing and able to lead the
    charge for change.
  • WRITTEN INFORMATION SAFEGUARDING RULES Your
    Program Coordinator must establish your Written
    Information Security Program unique to your
    dealership. This is accomplished primarily by
    Blueprinting your existing dealership
    operations and current layouts.
  • AUDITS AND INSPECTIONS Periodic inspections and
    audits are required to ensure that the changes
    identified are being implemented and followed.
    The Program Coordinator must establish a routine
    inspection check sheet that reflects your new
    processes. Changes to your existing Written
    Information Security Program should be based on
    the results or your audits.
  • MAINTENANCE AND FOLLOW UP Your program must
    change as litigation changes the interpretation
    of the Safeguarding Rules. Several states are
    currently reviewing the need for separate state
    issued regulations. The state of California has
    already approved a separate state law aimed at
    Privacy issues. Your information and program
    needs to be monitored and kept up-to-date as the
    Safeguarding Rule is altered and changed on
    Federal and State levels.

10
AUDIT
  • Non-public Customer Information
  • Employees have a good understanding of what
    information needs to be safeguarded
  • The majority of employees state that they
    understand the importance of safeguarding
  • Program Coordinator
  • Many dealerships have yet to assign a Program
    Coordinator
  • Program Coordinators have stated that they really
    dont have time for this
  • Written Information Security Program
  • Most dealerships do not have a unique program
    written
  • Many written programs are not specific and are
    too generic in nature
  • Inspections and Audits
  • Very few dealerships have completed any type of
    audit
  • Very few changes have been made based on the
    results of those audits
  • FTC Penalties and Fines
  • The potential for heavy fines does not seem to be
    a valid reason to comply

11
MORE SPECIFICALLY
  • Social Security numbers were easily found in all
    sales areas in all stores visited
  • Copies of drivers license, with social security
    numbers, easily found
  • Credit applications in the possession of the
    sales team and out in the open
  • Customer worksheets that include social security
    numbers and date of births
  • Full deals located and stored at sales desks
  • We were able to pick up several deals and walk
    out of the building
  • Signs labeled Do Not Enter Employees Only
    Customer Non-Public Information
  • Social Security Numbers hand written on Repair
    Orders
  • Service Technicians and Service Writers Social
    Security numbers printed on R.O.s
  • Employee Applications left out in the open
  • Employee paychecks left out in the open
  • Dead files stored on the floor behind sales and
    FI desks
  • FI offices left unattended and open for extended
    periods of time
  • Vendors and wholesalers walking through the
    General Office areas
  • Customer Credit Bureaus printed on printers
    located in the middle of the showroom floor
  • Credit card machines that print full customer
    account numbers
  • FI Managers leaving pending deals on their desk
    throughout the night
  • FI Managers leaving their desk with a client in
    their office and deals out in the open
  • Locks on the FI Managers office door with all
    sales persons walking in and out at will

12
Program Coordinator
  • The position of Program Coordinator should be
    assigned based on a person, not a position
  • Your Program Coordinator should possess the
    following characteristics
  • Extreme loyalty to your dealership and its owner
  • A military background is helpful
  • Someone you can hold accountable
  • Someone not easily intimidated
  • Someone who does not mind being a tattle tale
  • A person who will force the issues for resolution
  • A person who will support the effort to change

13
Written Information Security Program
  • All programs must be written based on your
    dealerships unique business structure
  • Multiple locations must have its own unique
    program
  • The Program Coordinator is responsible for the
    program
  • All employees must be trained based on their job
    title
  • Awareness must be maintained by upper management
    to ensure that change occurs
  • Periodic changes are recommended based on your
    needs

14
Inspections and Audits
  • Your Program Coordinator should be responsible
    for all inspection and audit activities
  • Inspections and audits should be performed often
    and without notice
  • The Program Coordinator must hold meetings with
    the decision makers to discuss the audit results
    and to make changes as needed
  • You must be willing to take discipline action, up
    to and including termination, if employees refuse
    to change to comply with your requirements
  • Audit frequency should be based on the results of
    your inspections

15
Hiring Practices
  • Identity theft by employees is increasing at an
    alarming rate.
  • Employees who have access to your customer
    information, are selling the information to
    thieves.
  • Business owners can be held liable for hiring
    employees with a background in crime.
  • If you are considering hiring an individual with
    a criminal background, please use logic other
    than They can sell cars.
  • We strongly recommend every business complete a
    background check prior to offering an individual
    a job.
  • One source is www.publicdata.com.

16
THREE PLACES INFORMATION IS CONSIDERED SAFE
  • IN YOUR HAND
  • IN A LOCKED DESK DRAWER OR FILE
  • IN YOUR COMPUTER SCREEN IF YOUR COMPUTER IS
    PROPERLY PROTECTED
  • IN never OUT

17
Why Should You Comply?
  • Its the Law?
  • The FTC fines and penalties are expensive?
  • You have nothing better to do?
  • MOTTO
  • Conducting business the right way
  • even when no one else is looking!

18
COMPLIANCE
  • Building and supporting a system or a change that
    promotes company wide compliance is costly
  • Ignoring todays compliance requirements CAN be
    devastating!
Write a Comment
User Comments (0)
About PowerShow.com