Pub. 3 2013 Issue 1

16 AUTOMOBILE DEALER NEWS ILLINOIS www.illinoisdealers.com Physical safeguards It’s surprising how many dealer management systems allow carte blanche access to customer files. Treat sensitive consumer information as if it’s your own. Would you want your Social Se- curity number or credit score lying open on someone’s desk or displayed on a computer screen for all to see? Not likely. Set computers and smartphones to go into sleep mode after an inactive period and require a password to unlock the device. Store deal jackets in locked file cabinets behind locked doors. Employees should never remove deal jackets from your dealership prem- ises, under the guise of “working from home.” When possible, go paperless. Limit access to consumer information with passwords. Logins should give employees and vendors access to only those data fields necessary to fulfill their jobs. Online safeguards The Internet may be a valuable source of leads, but it also can be a security risk. If you ask for financial information on your dealership website, make sure the data is encrypted. If you’re unsure, ask your website provider. The provider should use terms like “site certificate” or “SSL,” which means “secure sockets layer,” and it’s what keeps sites secure by encrypting data so only your browser can read it. If not, your online application could be putting customers at risk. Disposal practices Retain consumer information for a limited time period only. If someone test drives a vehicle, it’s really not necessary to keep a copy of his or her driver’s license. But do keep the name and contact information for follow-up calls or e-mails. What if you’re legally required to retain hard copies of purchase agreements after the deal closes? Store it onsite under lock and key. Or move records offsite for storage with a reputable, trusted vendor. Surprise audits Chances are you haven’t given your customer privacy practices much thought recently. But you can’t afford to let them slide. Spot-check your data security policies on a regular basis. Put yourself in a prospective employee’s shoes. Walk around the showroom looking for security breaches. Double-check that you’re following the steps outlined in this article. If not, you’re at risk of becoming another fraud statistic. Q Q Privacy Policies — continued What if you’re legally required to retain hard copies of purchase agreements after the deal closes? Store it onsite under lock and key. Or move records offsite for storage with a reputable, trusted vendor. FTC Violations Prove Costly A defendant was charged $35,000 for improperly disposing of about 40 boxes of sensitive customer records — including tax returns, credit applications, credit card numbers, driver’s licenses and credit reports. In addition to this penalty, the 2010 settlement required the defendant to hire an independent, third-party security professional to review its privacy protection program annually for the next 10 years. Although this case involved a mortgage broker, deal- ers can obtain the same information from their customers and can easily violate the FTC Fair Credit Reporting Act and the Disposal Rule, which regulate the collection, dissemination, use and disposal of consumer information. Q For more information please contact John Comunale, CPA at Councilor, Buchanan and Mitchell, P.C. certified public accountants at (301)986-0600 or jcomunale@cbmcpa.com in Bethesda Maryland.