About a month ago, I asked a dealer about the last time the dealership’s Safeguards Rule and Red Flags Rule Plans were updated. The dealer paused, gave me a blank stare and then said: “I guess that’s something we should have?” Not only had the dealership not updated these plans, the dealership never developed and implemented either plan!
I am surprised about how many dealers continue to operate without the required Safeguards Rule Plan and the Red Flags Rule Identity Theft Prevention Program (ITPP) plan. It’s something they don’t think about or, quite frankly, worry about…until it’s too late.
Dealerships are required by federal law to have such plans. (By the way, dealerships are considered financial institutions because you assist customers with obtaining financing.) These requirements are enforced by the Federal Trade Commission (FTC).
In its publication “Privacy and Data Security Update 2018,” the FTC explains the following about both requirements:
The GLB Safeguards Rule requires financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards.
The Red Flags Rule requires financial institutions and certain creditors to have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. This year, the FTC announced a regulatory review, in which it is seeking public comment to determine whether it should update the Rule in light of new developments in the marketplace.
In short, the Safeguards Rule requires you to have practices and procedures in place to protect customer nonpublic personal information (NPI). The Red Flags Rule requires you to have practices and procedures in place to prevent you from selling a unit to an identity thief. When the FTC becomes aware of a company’s (dealership’s) actions or inactions that result in harm to consumers, it acts. One example, regarding violations of the Safeguards Rule, follows:
The FTC alleged that “_______” violated the Safeguards Rule by failing to develop a written comprehensive security program until November 2015; to conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; and to implement information security safeguards that would help prevent a cyberattack.
As part of the settlement with the FTC, the company is prohibited from violating the Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Act for 20 years. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, the company is required for 10 years to obtain biennial third-party assessments of its compliance with these rules.
(NOTE: A violation of this order could result in very significant civil penalties.)
If you already have these plans in place, make sure they are updated on a regular basis, as conditions change, and more threats are encountered. Your plan should clearly state how you detected any issues and what you did to resolve them. If you don’t already have these plans, you should develop them immediately.
NOTE: This article is not intended to provide legal or financial advice. It is for informational purposes only.