"Car Dealers Held Responsible for Identity Theft." It’s a recently recurring headline that has likely already caught your attention. Identity fraud is a wide-spread and very serious crime affecting millions of Americans annually to the tune of about $50 billion (yes, billion). Unfortunately, the nature of the automotive retail industry leaves many dealerships exposed to possible security breaches. And if your dealership is found to be in violation of compliance regulations, the dealer can ultimately be held liable.
Think about the exposure to risk in the dealership environment: thousands of customers’ personal information stored in paper deal jackets on site; high turnover of employees who have access to sensitive data; and heavy customer traffic on the premises. These are just some of the reasons dealers need to remain vigilant.
In the past decade, more and more measures have been put into place to help safeguard non-public personal information about customers. Among these measures are such legislation as the Gramm-Leach-Bliley Act of 1999, The Safeguards Rule, the Federal Reserve Board’s Regulation P, and the more recent Federal Trade Commission’s Red Flags Rule. Many of these measures not only help to protect your customers, they also help reduce your exposure to incidents of identity theft.
Strati Papageorge, Director of Credit and Compliance Solutions with DealerTrack, has seen a shift in dealers’ perspectives in the last four years: "The big buzz recently is the concern over the Red Flags Rule, but overall, this concern has helped dealers to develop more understanding of broader compliance and security issues. They’re paying closer attention to where they stand on the compliance spectrum."
There are already a number of factors to be concerned about when it comes to compliance and data security within the dealership. It is natural for a dealer to have concerns, too, about the electronic files stored in their Dealer Management System (DMS). Fortunately, many DMS providers and integration companies are stepping up their technology to provide advanced security of dealership data. This is one area where most dealers can feel confident their customer data is protected.
Most reputable DMS providers already have reliable security measures built in, such as password-protected access; requirements for passwords to be changed regularly; encrypted data transmission; customized authorities for user roles; and recent implementation of vendor-certified interfaces and processes, just to name a few. If you are unsure of the level of protection provided by your DMS provider or integration company, Papageorge and Brent Allen, President of The StoneEagle Group both advise that you work with providers you are comfortable with.
Allen further recommends that you "read your provider’s agreement carefully. If it does not refer to compliance with Gramm-Leach-Bliley or Regulation P, ask why." If you’re not satisfied, or want to ensure compliance where your data is concerned, Allen recommends creating your own security document. "This document should be simple and to the point." And of course, "use compliant tools when possible: menus, cameras, or just good processes."
Papageorge points out that dealers must also do their due diligence regarding internal practices and employee training—educate employees about the importance of compliance issues and the possible ramifications of noncompliance. There should be a zero-tolerance policy for dishonest practices. He stresses that "all employees should also only have access to the minimum amount of customer information they need to perform their individual jobs. When an employee is terminated, that individual’s access should be removed within 24 hours."
And your electronic data? As a general rule, it’s better protected than those deal jackets and financials stored in your dealership’s "Secure Document Area." Papageorge says this practice of "announcing" the location of sensitive information seems counter-intuitive. And because most identity theft is the result of smaller data breaches (say, for example, a dishonest employee makes away with a deal jacket), individual dealerships are far less likely to be the target of a larger breach (such as internet hacking).
The transition to electronic records goes a long way toward protecting your customers and your business from the threat of identity theft and non-compliance. A little preliminary research into the DMS provider’s security policies is well worth the investment to ensure you are partnering with a company that can certify the safety of your data. Now, with that concern out of the way, you can focus your time on the more critical areas of importance—like that AFIP certification for your employees!