The FTC Safeguards Rule has been around since 2003 and sets forth standards for developing, implementing and maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality, and integrity of customer information. It, unfortunately, remains one of the biggest challenges in our day-to-day operations. With the new pandemic creation of the “virtual showroom” environment, the threat landscape has grown exponentially. And the new administration has already announced a renewed focus in this area.
When you consider the pressures we face today — speed, transparency, economic pressure, market competition, turnover, training and temptation — one can see why the challenges still exist. We need a better way to protect ourselves against not only the fines we have all heard about (which can now be up to $42,000 per violation) but, equally important, the collateral damage to your brand from such an incident. And to make matters worse, it’s not going away anytime soon!
Experts have predicted a renewed focus on Safeguards, mystery shoppers in more markets, and potential new laws making it easier for consumers to file class-action lawsuits. Plaintiff’s Attorneys have gone as far as renting billboards in major markets requesting a phone call “if a dealer has run your credit.” The deck is not stacked in our favor.
We make a written promise to every customer and prospect in our Privacy Statement. Yours most likely has a phrase similar to this: “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.” Do we really demonstrate the necessary consistent behavior to fulfill this obligation? If the answer is no, it is time to make the required changes to correct the problem.
There are four simple steps we can take to make substantial improvements in your current environment. Three of these are required by law. The first is a dedicated compliance officer, someone with both the responsibility and authority to “have your back,” not just a signature in your policies and procedures. The second is to periodically review and update your policies and procedures and consistently train your staff to comply. Training is a must because of turnover, business pressures, and the overall chaos in showrooms during busy times. The third is routinely audit/review your staff’s behavior against these policies. If there are gaps, you should adjust and retrain to eliminate these risks. The specific requirement from the Safeguards program states to “evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations, or the results of testing and monitoring safeguards.”
The fourth, which many organizations still struggle with, is execution against these policies on a consistent basis. With so many moving pieces around front-end compliance, dealers should consider embracing technologies such as compliance enforcement platforms to assure the proper behavior after training. This platform is different from the standard Red Flag/OFAC commoditized items that return with a credit report. More specifically, it should be a platform that “forces” the appropriate behavior on every transaction, assuring the proper creation, processing and retaining of customer information. Most dealers do an excellent job with sold deals and do not always do a good job with dead deals. There are recent public examples of these types of breaches.
You would never consider running your business today without a DMS solution. Why would you treat compliance any differently? With all the complexities in the regulations, constant changes in staff and the busy environment, leveraging technology is the best and most effective way to glue together the first three items. You must lock down a process you can stand behind to protect your customers, your business and yourself. With the renewed focus on compliance, the time to act is now.