GNYADA 2019 Membership Directory & Services Guide

• Require the development of a comprehensive written Information Security Program, and the encryption of all personal information stored on laptops and portable devices or transmitted wirelessly or across public networks. Employee access must be limited and paper records must be locked up. • Require compliance with the Payment Card Institute Data Security Standard (PCI-DSS) for credit and debit card information and transactions. Consult your own attorney to determine what specific state laws may apply to you. Social Security Number Protection Laws Many states have passed laws restricting the use, communication, posting, emailing, or mailing of Social Security numbers (SSNs) and other nonpublic personal information (NPI). Many of these state laws prohibit (i) denying goods or services to a person who declines to give their SSN, (ii) printing of SSNs on ID cards, (iii) communicating SSNs to the public or posting or displaying them, (iv) mailing SSNs within an envelope; and/or (v) emailing SSN or other consumer NPI in an unencrypted email. A few states require companies that collect SSNs to have policies in place to protect the SSNs. California’s law provides a good example of prohibited activity and applies to businesses, government, and other entities. The law prohibits: • Printing SSNs on ID cards or badges; • Printing SSNs on documents mailed to customers, unless the law requires it or the document is a form or application; • Printing SSNs on postcards or any other mailer where it is visible without opening an envelope; • Avoiding legal requirements by encoding or embedding SSNs in cards or documents, such as using a bar code, chip, or magnetic stripe; • Requiring people to send SSNs over the Internet, unless the connection is secure or the number is encrypted; and • Requiring people to use an SSN to log onto a website, unless a password is also used. SSNs should be truncated in any visual or printed form and be safeguarded in electronic and paper files. Encryption of Social Security numbers and other NPI is a best practice for electronic records and mandatory in transmitting SSNs over electronic networks such as the Internet. FTC Red Flags Rule The Red Flags Rule requires a dealership to perform a risk analysis to develop and implement a written Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft. It is not a “one size fits all” rule. A dealer’s ITPP must be appropriate to the size and complexity of the dealership and the nature of its operations. The Red Flags Rule requires lenders to monitor accounts in their portfolio (along with written-off accounts) for evidence of identity theft to attempt to detect and mitigate further identity theft. So, more lenders are examining delinquencies and written-off accounts for identity theft, even accounts that may have paid for substantial IDENTITY THEFT AND FRAUD PREVENTION

hot topics / 2019 membership directory & services guide

PG 138

Made with FlippingBook - Online catalogs