Pub. 1 2011 Issue 4

18 AUTOMOBILE DEALER NEWS ILLINOIS www.illinoisdealers.com security throughout the life cycle of customer information—that is, from data entry to data disposal: 2 • Store records in a secure area. Make sure only authorized employees have access to the area. For example: » Store paper records in a room, cabinet, or other container that is locked when unattended. » Store electronic customer information on a secure server that is accessible only with a password - or has other security protections - and is kept in a physically-secure area. » Don’t store sensitive customer data on a machine with an Internet connection. » Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically secure area. • Provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information. Specifically: » If you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive data, like account numbers, via electronic mail. » If you must transmit sensitive data by electronic mail, ensure that such messages are password protected so that only authorized employees have access. • Dispose of customer information in a secure manner and, where applicable, consistent with the FTC’s Disposal Rule, www.ftc.gov/os/2004/11/041118disposalfrn.pdf. For example: » Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information. » Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up, and promptly dispose of outdated customer information. • Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. Managing system failures Effective securitymanagement includes the prevention, detec- tion and response to attacks, intrusions or other system failures. Consider the following suggestions: 2 • Maintain up-to-date and appropriate programs and controls by: » Following a written contingency plan to address any breaches of your physical, administrative or technical safeguards. » Checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities. » Using anti-virus software that updates automatically. » Maintaining up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations. » Providing central management of security tools for your employees and passing along updates about any security risks or breaches. • Take steps to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure. For example, back up all customer data regularly. • Maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users. • Notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access. Q References 1 www.ftc.gov/os/2002/05/67fr36585.pdf 2 business.ftc.gov/documents/bus54-financial-institutions-and-customer-information- complying-safeguards-rule 3 www.nada.org/NR/rdonlyres/3034050F-0D43-4E69-9AD3-85C39959F89E/0/Safe- guardingCustomerInfo.pdf 4 business.ftc.gov/documents/bus67-how-comply-privacy-consumer-financial-informa- tion-rule-gramm-leach-bliley-act For questions about this loss prevention topic, contact the Zurich Risk Engineering Department at 800-821-7803. Q safeguards rule — continued Additional Resources Safeguards Rule • Safeguards Rule: www.ftc.gov/os/2002/05/67fr36585.pdf • How to Comply With the Safeguards Rule: business.ftc.gov/documents/bus54-financial-institutions- and-customer-information-complying-safeguards-rule • NADA “A Dealer Guide to Safeguarding Customer Information”: www.nada.org/NR/rdonlyres/3034050F-0D43-4E69-9AD3- 85C39959F89E/0/SafeguardingCustomerInfo.pdf Privacy Rule • Privacy Rule: www.ftc.gov/os/2000/05/65fr33645.pdf • How to Comply With the Privacy Rule: business.ftc.gov/documents/bus67-how-comply-privacy- consumer-financial-information-rule-gramm-leach-bliley-act • Privacy Rule FAQs for Auto Dealers: business.ftc.gov/documents/bus64-ftcs-privacy-rule-and- auto-dealers-faqs Gramm-Leach-Bliley Act • GBL Act: www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW- 106publ102.pdf • Bureau of Consumer Protection - GBL Act: business.ftc.gov/privacy-and-security/gramm-leach-bliley-act