2017 GNYADA Membership Directory

HOT TOPICS

IMPORTANT LAWS AND REGULATIONS

The FTC Safeguards Rule The FTC Safeguards Rule requires auto dealers to ensure the security and confidentiality of their customers’personal information by using appropriate administrative, technical, and physical safeguards. The Rule also requires auto dealers to take reasonable steps to ensure that affiliates and service providers safeguard the customer information provided to them. Under the Safeguards Rule, an auto dealer must develop and implement a written information security program that is appropriate to the dealership’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue (“Information Security Program”). The dealer’s Board of Directors (or its highest governing authority) must approve the initial Information Security Program, and take responsibility for it. A senior officer must be appointed to be the Information Security Program manager responsible for developing, overseeing, implementing, training, updating, and administering the Information Security Program, but the final responsibility will rest with the Board of Directors or the senior management team. An Information Security Program must include certain basic elements to ensure it addresses relevant aspects of a dealer’s operations. The Information Security Program must: • Describe how the program will protect customer information – both in paper and electronic format – and protect against anticipated threats to information security; • Designate one or more employees to coordinate the information security program; • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; • Design and implement a safeguards program, and regularly monitor, test, and update it; • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; • Include a security incident and data breach response plan in your information security program for use in the event of any irregularity or in the event any consumer information is lost, stolen, or compromised; • Test, evaluate, and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. Dealers must regularly monitor and test their Information Security Program, evaluate its effectiveness, and adjust it accordingly. Three critical areas to address are: 1) employee training and management; 2) information systems; and 3) monitoring, detecting, preventing, and responding to attacks, intrusions, and systems failures. The FTC has found that failing to have a defensible password security policy or permitting “weak” administrative passwords such as common words with no capitalization (e.g., “password”), numbers, or symbols (e.g., “12345”) can constitute inadequate data security. The FTC also faulted a leading social networking provider for storing and sending passwords in plain text emails.

MEMBERSHIP

DIRECTORY

2017

116