DealerTrack Webinar Recording: Risk-Based Pricing and Adverse Action Requirements

December 01, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by DealerTrack, Inc.

The Threat Within: Internal Data Breaches and ID Theft

December 16, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

Automotive News recently reported that an Arizona dealer’s F&I Manager was involved in a fraud ring stealing the identities of dealership customers and sharing them with a criminal enterprise.  At least a dozen identity thefts were tied directly to the F&I Manager’s theft of non-public personal information from the dealership with more to come.  In a plea deal and in exchange for cooperating against the other fraudsters, he was sentenced to ten years in jail.  Presumably the dealership’s liabilities have only just begun.

The F&I Manager had a previous criminal history that had never been investigated by the dealership.  In fact, he had 17 felony convictions for crimes such as burglary, credit card theft, and drug violations.  Yet he was charismatic and a top producer at the dealership earning $200,000 or more annually before he was caught by the local police.

While this story may be somewhat extreme, it points out an important risk that you as a dealer need to protect against: employee misconduct and negligence in performing duties that can expose your dealership to significant liabilities. 

Answer the following as a start: Do you do background and criminal checks on employees you hire who will have access to customer information?  Are you cautious in giving permissions to consumer information to only those employees who absolutely need it to do their jobs?  Do you secure paper and electronic files and keep a log of which employees access customer information and when?  A sudden spike in an employee’s access to customer information (whether in paper deal jackets or electronic dealer databases) should be promptly addressed with the employee.  Do you disable permissions to dealership databases and DealerTrack when an employee leaves?  (In fact, it is a good idea to do so before the employee leaves).  Do you disable the ability to download customer files onto external hard drives, USB drives, and other memory devices?  Do you disable the emailing of customer files to external email?  Do you limit access to DealerTrack from trusted dealership IP addresses only?

Studies have shown that over 50% of data breaches originate from inside the dealership, either due to willful acts of disgruntled or disloyal employees or through negligence such as leaving credit applications, credit reports and deal jackets open and in plain sight.   Data security must be a top priority in your dealership and every employee must be held accountable.  Train and retrain your employees on securing active deal jackets and information from the moment it is received until you securely dispose of it under your Safeguards and Data Destruction policies.  Keep all paper deal jackets locked in a secure facility and appoint a trusted employee to be the “gatekeeper” who records the access of deal files by employees and their return.  Most electronic databases (including DealerTrack’s Activity Reports) give you the ability to track employee access to electronic files.  A great amount of information exists in the paper world as well and the copying or theft of paper files is as much a data breach as someone hacking into your CRM system or downloading customer information onto remote storage devices.  You need to be vigilant with both paper and electronic information.

The FTC has said that your Safeguards Program should include a Security Breach Response Plan in case your customer information is ever compromised.  Assign responsibilities, retain experts such as forensics specialists, and have a plan to take the necessary steps to contain, assess, and respond to the data breach.  46 states require that you send notices to their residents if their information is compromised and the laws are not consistent.  Federal legislation to adopt a uniform national data security notice failed in the U.S. Senate.

An identity-theft think tank, the Ponemon Institute, estimated the “all-in” cost of a data breach in 2011 to be $214 per record compromised.  This includes costs of legal, regulatory, forensics, accounting, PR, investigation, diversion of resources, loss of customer good will, and other tangible and intangible effects on your dealership.  It doesn’t take a great deal of compromised information to produce a huge liability.

Data security may be your dealership’s largest financial risk.  Make 2012 the year you take data security seriously and be proactive to protect and monitor both internal and external threats.   Run mock drills simulating electronic intruder attacks on your DMS and databases; do showroom walk-throughs at busy times to see how much customer information is in plain sight in fax bins, copiers and on desks; test your security incident response plan.  Use IT and forensics experts if necessary to help you do so.  And update your training and monitoring with the knowledge you gain.  It may be the best money you ever spend.

________

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.

CFPB Begins Taking Tips from Whistleblowers

December 21, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by CounselorLibrary.com LLC

The Consumer Financial Protection Bureau is soliciting information from whistleblowers and other knowledgeable sources about potential violators of federal consumer financial laws. The CFPB is welcoming information from current or former employees, contractors, vendors, and competitor companies. The Dodd-Frank Act provides certain anti-retaliation protections for whistleblowers. They may not be terminated or discriminated against for:

(1) providing information to the employer, the Bureau, or any other state, local, or federal government authority or law enforcement agency relating to a violation of federal consumer financial law;

(2) testifying about a potential violation;

(3) filing any lawsuit or other proceeding under any federal consumer financial law;

(4) objecting to or refusing to participate in violations of federal consumer financial laws.

The whistleblower channels announced today include an email address and a toll free “tips hotline.” Early next year, the Bureau plans to introduce an online tips portal accessible through its website. Whistleblowers through any of these channels may request confidentiality or even remain anonymous to the extent permitted by law, although providing contact information may assist the Bureau in investigating and remediating potential violations of federal consumer financial laws.

Compliance Definition of the Week

December 27, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by DealerTrack, Inc.

UDAPs - (Unfair and Deceptive Acts and Practices laws) – Includes FTC Act Section 5 and similar state laws used frequently by the FTC and state Attorneys General to correct and obtain damages for consumer abuses by automobile dealers and other entities. Penalties under FTC Act Section 5 can total $16,000 per violation, per day. The FTC takes the position that inadequate data security practices are a violation of Section 5.