complying with the safeguard rule
TRANSCRIPT
Complying With the
Safeguard Rule
Ryan Lane
Director, KPA Sales & Finance Compliance
Jim Radogna
Sales & Finance Compliance Consultant
Moderator
Rebecca Ward
Sr. Marketing Content Specialist
(303) 219-7802
A comprehensive solution for Environmental Health & Safety, HR
Management, and Sales & Finance Compliance.
• 8/10 of the largest dealership groups in the
country count on KPA.
• KPA has been endorsed by 26 national and
state dealer associations
• Founding member of the Clean Auto Alliance.
KPA delivers Environmental Health & Safety, HR Management and Sales & Finance
Compliance programs that help our clients achieve regulatory compliance, control risk, protect
their assets and effectively manage people through a combination of innovative software,
award winning training and on-site consulting. Over 5,200 clients, including 8 out of 10 of the
largest dealership groups in the country, count on KPA for Environmental Health & Safety, HR
Management and Sales & Finance Compliance programs that save them time and save them
money.
KPA minimizes risks and maximizes profit for
5,200 dealers nationwide.
KPA
Environmental
Health &
Safety
KPA Human
Resource
Management
KPA Sales &
Finance
Compliance
Compliance
Presenter
Ryan Lane
Director, KPA Sales & Finance Compliance
(303) 802-3095
Presenter
Jim Radogna
Sales & Finance Compliance Consultant
(303) 228-8770
Questions
If you have questions during
the presentation, please
submit them using the
“Questions” feature
Questions will be answered
at the end of the webinar
The Safeguards Rule – A Quick Review
• Enacted in 2003 and enforced by the FTC
• Requires dealers to have a written security plan to
protect the confidentiality and integrity of customer
and employee data, such as names, Social Security
numbers, and credit card or bank account
information
• Penalties for non-compliance: Civil penalties of up to
$10,000 per violation for officers and directors
personally liable, and for the financial institution
liable, penalties of up to $100,000 per violation.
Criminal penalties include imprisonment for up to
five years and fines.
The Safeguards Rule – A Quick Review
Requirements:
Designating an Information Security Program Coordinator
• Performing a Safeguard Rule Risk Assessment
• Designing, writing, and implementing an Information Security
Program
• Monitoring and testing the Information Security Program on an
ongoing basis, and adjust the program in light of relevant
circumstances.
• Selecting service providers that can maintain appropriate
safeguards.
• Training all staff members who have access to customer
information.
Who’s the Coordinator?
• Shouldn’t be a title-only position
• Should be someone with authority
• Should report directly to DP
Risk Assessment
• Identify and assess the risks to customer
information in each relevant area of the
company’s operation, and evaluate the
effectiveness of the current safeguards for
controlling these risks.
• Both physical and digital risks should be
assessed.
Written Program
• Must be in writing
• Should be comprehensive
• Shouldn’t be a static document.
• Policy must be implemented
Service Providers
• Should have written agreement with every vendor
that has access to dealer’s customer data.
• Service Provider should represent and warrant that it
will implement and maintain safeguards as are
necessary to protect the customer information provided
by dealer from unauthorized disclosure.
• Agreement should indemnify and hold dealer
harmless from any liability arising out Service
Provider's failure to protect the Customer Information.
Monitoring and Testing
• Most dealers miss this step
• Should be performed on a periodic basis and
documented.
• Should be monitored as frequently as
necessary to ensure that the procedures are
in place and operating effectively.
• It may also be beneficial to hire an outside
party to audit the system on a regular basis,
providing the dealership with an independent
view.
Technology Challenges
• Dealerships are far more technologically
advanced than they were when the Safeguards
Rule first came into play
• Protecting consumer information has
become quite a bit more challenging
• No longer just a matter of making sure that
credit apps aren’t laying on top of desks in the
showroom or that deal jackets are stored in
locking cabinets.
Technology Challenges
• A dealer’s Safeguards system is only as good as its ability to
respond to the latest threat
• The FTC charged a GA dealer with illegally exposing the
sensitive personal information of thousands of consumers by
allowing peer-to-peer, file-sharing software
• An employee downloaded consumer data files onto a flash
drive and took them home to work on them using his home
computer
• The home computer contained the peer-to-peer software that
triggered the breach
• None of the dealership's computers ever were loaded with the
peer-to-peer software
• Any violation of the 20 year consent decree could cost the
dealer $16,000 each
Best Practices
• Access to customer information should be limited to employees
who have a business reason to see it; to the extent they need it to
do their jobs.
• Dealership employees should not be permitted to use or
reproduce customer information for their own use or for any use not
authorized by the Dealership.
• Customer information should not be allowed to leave the
dealership, either in paper form or on employees’ electronic
devices.
• Customer information should always remain in management
control.
• Allowing staff members to retain “working” customer files for
follow-up purposes is risky at best.
Best Practices
• Consider limiting CRM access to dealership computers only for
all but the most trusted top-level personnel.
• If you allow certain employees to use personal computers to
store or access customer data, they should be required to use
protections against viruses, spyware, and other unauthorized
intrusions.
• The dealership should utilize anti-virus software and maintain
computer firewalls.
• The ability to download customer information from dealership
computers to portable media such as USB drives, external hard
drives, or other remote devices should be disabled.
Best Practices
• Paper-based customer information should not be left exposed
and unattended in an unsecured area, and should be stored in a
room or file cabinets that are locked or otherwise not available to
the general public. Be aware that consumer information in plain
sight can be taken or even photographed with a cell phone.
• All customer information should be disposed of in a secure
manner. Paper-based customer information should be shredded
prior to disposal and electronic information should be effectively
deleted prior to hardware disposal. This includes the hard drives of
digital copiers, fax machines and PCs.
• Electronic customer information should be stored on secure
servers and access to the information should be password
controlled.
Best Practices
• Computer monitors in non-secure areas should be locked when
not in use. Password-activated screen savers should be used to
lock employee computers after a period of inactivity.
• “Strong” passwords should be required and changed on a
regular basis. (Tough-to-crack passwords require the use of at least
six characters, upper- and lower-case letters, and a combination of
letters, numbers, and symbols.) Passwords should not be shared or
openly posted in work areas.
• Inbound or outbound credit card information, credit applications,
or other sensitive financial data transmitted to the dealership
directly from consumers should only be sent through an encrypted
or secure connection.
Best Practices
• Consumers should be advised against transmitting sensitive
data by email or fax. If sensitive data must be transmitted to the
dealership by email, such transmissions should be password
controlled or otherwise protected from theft or unauthorized access.
• Customer financial information should not be stored on any
computer system with a direct Internet connection.
• Policies should be in place for appropriate use and protection of
laptops, PDAs, cell phones, and other mobile devices.
• Terminated employees should be prevented from accessing
customer information by immediately deactivating their passwords
and user names and taking other appropriate measures.
Best Practices
• Procedures should be established to preserve the security,
confidentiality and integrity of customer information in the event of a
computer or other technological failure.
• The dealership should notify customers promptly if their
customer information is subject to loss, damage or unauthorized
access. The FTC requires this and time will be critical in the
aftermath of a breach to identify the problem, fix it, and take
appropriate response measures.
• Employee training is a key component of an effective
Safeguards program. Staff members should be trained to take
basic steps to maintain the security, confidentiality, and integrity of
customer information.
• New employees should be trained immediately and all
employees should be retrained regularly.
You Never Know Who’s Lurking…
High-tech data breaches are challenging but
low-tech problems are still common…
Questions and Answers
Contact Information
The recorded webinar and presentation slides will be emailed to
you today including your local representative’s contact information.
www.kpaonline.com
866-228-6587