Pub. 1 2011 Issue 4

16 AUTOMOBILE DEALER NEWS ILLINOIS www.illinoisdealers.com many businesses that may not normally describe themselves that way. In fact, the Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. While the FTC has never defined the phrase “significantly engaged,” you should consider yourself “significantly engaged” in financial activities for purposes of the Safeguard Rule if you regularly provide installment sale and/or lease financing to consumers, even if you immediately assign sales and lease contracts to a bank or finance company. 2,3 Objectives of the Safeguards Rule In order to understand the objectives of the Safeguards Rule, it’s important to recognize why the GLB Act required the FTC and other government agencies to enact rules to protect sensitive customer information. Identify theft and customer data breaches are now common place, with stories found frequently in the news. In one case sev- eral years ago, an employee of a software vendor, who provided services to the three national credit agencies, sold customer in- formation to identity thieves. At last report authorities knew of at least 30,000 victims and an estimated $2.7 million in losses. Consider the amount of current and historical customer data your business has accumulated over the years. It could be stored in paper format in a file drawer, or digital format on a computer hard drive. Now consider how safe and secure that information is. The objective of the Safeguards Rule is to: 1. Ensure the security and confidentiality of customer informa- tion. 2. Protect against any anticipated threats or hazards to the se- curity or integrity of such information. 3. Protect against unauthorized access to or use of such informa- tion that could result in substantial harm or inconvenience to any customer. Assess your compliance The Safeguards Rule requires companies to develop and implement an information security program. As part of the program, each company must 2 : • Have a written information security plan that describes the actions and steps your business will take to protect customer information. The Safeguards Rules specifies the size of your plan should be appropriate to your dealerships’ size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. • Designate one or more employees to coordinate your security plan. These employee(s) should be documented in your written security plan, and aware that they have been so designated. In addition, it is recommended you update the written plan coordinators names in the security plan as personnel changes. • Identify and assess the risks to customer information in each relevant area of your organization’s operation. In addition, you should evaluate the effectiveness of current safeguards for controlling these risks at reasonable intervals. • Routinely monitor and test their information security program. • Select appropriate service providers and require them, by contract, to implement safeguards that are appropriate to their organization in protecting consumer information. • Evaluate all aspects of your program from time to time, tomake appropriate adjustments and to explain why you believed the adjustments were appropriate. Securing your information The Safeguards Rule requires that you consider risks to cus- tomer information in all areas of your operation, with special emphasis on three critical areas: Employee Training andManage- ment; Information Systems; andDetecting andManaging System Failures. Please refer to the full Safeguards Rule, referenced at the end of this bulletin, for the complete content and practices to be implemented. 1 Employee training and management The success or failure of your information security program depends largely on the employees who implement it. Some best practices to consider: 2 • Check references prior to hiring employees who will have access to customer information. • Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information. • Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as: » Locking rooms and file cabinets where paper records are kept. » Using strong passwords, at least eight characters long. » Encrypting sensitive customer information when it is transmitted electronically over networks or stored online. » Referring calls or other requests for customer information to designated individuals who have had safeguards training. • Regularly instruct and remind all employees of your organization’s policy—and the legal requirement—to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored. • Limit access to customer information to employees who have a business reason for seeing it. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job. Information systems Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Below are some suggestions on how to maintain Q safeguards rule — continued Q safeguards rule — continued on page 18