GNYADA 2019 Membership Directory & Services Guide

DATA SAFEGUARDS AND IDENTITY THEFT PROTECTION

Identity theft and data breaches continue to be serious and ongoing issues for consumers, affecting millions each year. Small to Midsize Businesses (SMB) such as auto dealerships, face the same cyber security threats as larger organizations, especially when the SMB maintains sensitive information about consumers. Should a breach happen, chances are good that the response will be costly. Businesses suffering a data breach are faced with a myriad of costs including, but not limited to, those related to systems remediation, legal, public relations, forensics, communications, regulatory, diversion of management and employee time, loss of customers, and expenses to preserve the company’s name and reputation in the community. In this Chapter, we discuss laws and regulations relating to a dealer’s obligations to safeguard and securely dispose of customer information, and to verify customer identities. Additionally, the risks to dealers from certain forms of identity theft are changing dramatically as lenders look to dealers to repurchase contracts—even contracts that have paid for a period of time—entered into with identity thieves.

2019 membership directory & services guide / hot topics PG 131 IMPORTANT LAWS AND REGULATIONS The FTC Safeguards Rule The FTC’s Safeguards Rule requires auto dealers to ensure the security and confidentiality of their customers’personal information by using appropriate administrative, technical, and physical safeguards. The Rule also requires auto dealers to take reasonable steps to ensure that affiliates and service providers safeguard the customer information provided to them. Under the Safeguards Rule, an auto dealer must develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to

the dealership’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue (Information Security Program). The Safeguards Rule requires that the Information Security Program be designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The dealer’s Board of Directors (or its highest governing authority) must approve the initial Information Security Program and take responsibility for it (which includes receiving reports on the program and taking appropriate action where required). A senior officer must be appointed to be the Information Security Program manager responsible for developing, overseeing, implementing, training, updating, and administering the Information