2020Directory_FNL_FlippingBook

An Information Security Program must include certain basic elements to ensure it addresses relevant aspects of a dealer’s operations. The Information Security Program must: • Describe how the program will protect customer information – both in paper and electronic format – and protect against anticipated threats to information security; • Designate one or more employees to coordinate the Information Security Program; • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks in each relevant area of operations (i.e., employee training, information systems, prevention/response measures for attacks); • Design and implement safeguards to control risks identified in the risk assessment, and regularly monitor, test, and update it; • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; • Include a security incident and data breach response plan in your Information Security Program for use in the event of any irregularity or in the event any consumer information is lost, stolen, or compromised; • Test, evaluate, and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. In March 2019, the FTC proposed strengthened provisions for the FTC Safeguards Rule. The proposed amendments to the Rule would, among other things, clarify when motor vehicle dealers must provide annual privacy notices pursuant to the FAST Act of 2015 (Fixing America’s Surface Transportation (FAST) Act (Pub. L. No. 114-94), and expand the definition of financial institutions to include “finders” who charge consumers a fee to connect them with lenders for a loan. www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-comment-proposed- amendments-safeguards-privacy-rules. The FTC has not issued final guidance on the amendments to the FTC Rule, but we advise that you stay up to date on any potential changes in the law by consulting your counsel. Employee Oversight The FTC’s consent decrees have made clear its expectation that businesses engage in certain practices as a baseline for safeguarding information. Among specific security requirements cited by the FTC were the following: • Checking references or doing background checks before hiring employees who will have access to customer information and doing so in a way that comports with FTC guidance. • Asking every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information. • Limiting access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs. Very few people in your dealership need access to all customer information and you should limit permissions accordingly. • Controlling access to sensitive information by requiring employees to use “strong”passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.)

2020 MEMBERSHIP DIRECTORY & SERVICES GUIDE HOT TOPICS

142