2018 GNYADA Membership Directory

agency to have reasonable policies and procedures in place to form a reasonable belief that the consumer report relates to the consumer about whom the report was requested. There are multiple John Smiths and this Rule is intended for you to take appropriate steps to verify that you have the consumer report for your applicant. Dealers who establish a continuing relationship with consumers for whom they have received a notice of address discrepancy and who routinely furnish information to consumer reporting agencies, must also reasonably verify the accuracy of the address provided by such consumers and furnish the verified address to the consumer reporting agency that provided the consumer report and notice of address discrepancy. Credit and Debit Cards: Fraud Prevention In an effort to prevent credit card fraud, the industry has moved to credit cards with computer chips (a“chip card”). The use of chip cards requires more sophisticated card readers that can read a random code generated by the device. If you do not have and use such a chip card reader after October 1, 2015, you face the risk of being liable for a fraudulent transaction committed using a chip card. Further, the Fair Credit Reporting Act (FCRA) prohibits printing more than the last five digits of a credit or debit card number or the card’s expiration date on any electronically printed card transaction receipt. Damages for doing so are$100 - $1,000 per receipt for willful violations (generally a knowing or reckless violation) with no cap on damages in a class action. MasterCard and Visa can also assess fines starting at $5,000 for the first violation and going up from there. Make sure your card processing machines are set up to not print any more than the last five numbers and do not print the card’s expiration date. Recommended Practices 1. Create a culture of security at your dealership and get senior management buy-in. Limit permissions to access customer information to only those persons who need access to perform their jobs; require passwords to contain letters, symbols, and numbers and be changed frequently. Know the flow of information that enters your system and monitor for any unusual data flows in or out. These may be signs that a hacker has entered your system and is compromising security. Keep logs of who accesses customer information and when they do so for both electronic and paper files. Train your employees on the importance of safeguarding customer information. Do not leave credit apps or credit reports out in the open or in unsecured file drawers. Consider using processes that can determine if your employees are actually following the policies and procedures in your Information Security Program. Regularly review access logs of the consumer information records and follow up promptly if you see any unusual spikes in any employee or other user accessing customer files. Lock down files at night and on weekends, and implement a “clean desk”policy that requires all paper documents containing customer information to be locked up when not in use. 2. Put into place an Information Security Program that details how you safeguard and securely dispose of all your consumer information. Include a detailed data security incident and security breach response plan in the Information Security Program. Follow FTC guidelines for Information Security Programs and know your state’s law on use, communication, and display of Social Security numbers and consumer notification requirements in the event of a data breach. Avoid storing consumer information longer than is necessary or allowing access using widely known simple passwords. Make sure your dealership’s Information Security Program includes detailed provisions for the secure disposal of consumer information, both paper and electronic. Train and re-train employees, perform stress tests to evaluate your systems regularly, and update provisions as

2 0 1 8 MEMBERSHIP DIRECTORY Hot TOPICS

122