2017 GNYADA Membership Directory

practices” authority under Section 5 of the FTC Act as the hook. The federal Third Circuit affirmed the FTC’s power to oversee cybersecurity. The court stated in a unanimous ruling that “deficient cybersecurity,” practices, which “fail to protect consumer data against hackers,”may be found to be“unfair”practices under the Act, subject to FTC enforcement. In addition to the inadequate data security practices (listed in FTC Safeguards Rule above), the FTC has cited, among other things, keeping sensitive information longer than it is needed; using commonly known default passwords; using P2P networks to transmit sensitive information; allowing wireless access to sensitive information; and excessive file sharing as examples of security shortfalls. The FTC brought and settled numerous enforcement actions against companies that did not have adequate data security programs in place. The FTC considers inadequate data security practices to be an “unfair trade practice” for which it can seek enforcement, oversight, redress for consumers, and civil penalties when credit report information is involved. Consent orders entered into by the FTC have included 10-20 years of FTC oversight, biennial audit certifications by specialized security firms, monetary penalties that can total up to $40,000 per violation of the order, and costly mandatory systems and operational upgrades. A senior FTC official stated that auto dealers“should treat consumer information as if it were cash.” OFAC The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) mandates that no U.S. person (including auto dealers) can do any business—cash or credit—with persons or entities included on OFAC’s list of Specially Designated Nationals and Blocked Persons (“SDN List’). These are lists of persons or entities suspected of being associated with or funding terrorist organizations and other criminal enterprises. The list is frequently updated although a searchable version of the list is published on OFAC’s website, www.treasury.gov/ofac/downloads/ sdnlist.txt . A credit bureau or electronic identity verification service can systematically check a customer against the current SDN List. You must run all of your customers – both cash and credit – against the SDN List. You should also run service and parts customers who make unusual orders (e.g., high quantities of materials that could be used in making an explosive device) or who otherwise seem suspicious. If you get a preliminary match, OFAC lists a series of steps to determine if you have a true match or a false positive. If you believe you have a true match after following those steps, you must call OFAC at 800.540.6322 or 1-202-622-2490, and you cannot do business with that person unless instructed otherwise. Penaltiescan include civil penalties of $1 million per violation, fines up to $10 million, plus imprisonment for up to 30 years. Given the presence of terrorist groups such as ISIS targeting terrorist attacks in the U.S., it is important to run OFAC checks on persons who rent vehicles from your dealership or engage in other acts that could be an element of a terrorist act. You don’t want to be the dealer that sold parts, vehicles, or other devices that helped facilitate a terrorist attack on our homeland. FTC Red Flags Rule The Red Flags Rule requires a dealership to perform a risk analysis to develop and implement a written Identity Theft Prevention Program (“ITPP”) to detect, prevent, and mitigate identity theft. It is not a “one size fits all”rule. IDENTITY THEFT

HOT TOPICS

2017

MEMBERSHIP DIRECTORY 125