 "The Privacy Cops Are Here"
By: Thomas Hudson
Last month, we headlined an article "Here Come the Privacy Cops" and told you there were rumors that the Federal Trade Commission had been looking at dealers' compliance with the FTC's Safeguards Rule. Rumor is now fact.
We've obtained what we believe on good information to be a copy of one of the FTC's letters to a dealership. Pretty scary stuff.
The letter begins with the announcement that the FTC staff "is conducting a non-public inquiry" into the dealership's compliance with the security standards contained in the Gramm-Leach-Bliley Act and the dealership's implementation of the FTC's Safeguards Rule. If this were your dealership and you were opening the mail, how would your day be going so far?
Wait, it gets worse. The letter sets out the requirements and purpose of the Safeguards Rule, then turns deadly, asking for enough documents to fill the bed of a Ford F-150. What did the FTC ask for? Check this list.
1. The dealership's complete legal name, its principal place of business, date and state of incorporation, and any d/b/a names;
So far, so good.
2. A description of the dealership's corporate structure, and the names of all parents, subsidiaries (whether wholly or partly owned), divisions, affiliates, joint ventures, operations under assumed names, websites, and entities over which it exercises supervision or control, describing the relationship of each to the dealership;
That didn't hurt a bit.
3. A description of each type of information from or about customers (such as customer names, street and email addresses, telephone numbers, Social Security numbers, bank and credit card numbers, income and credit histories) that is collected or maintained by or for the dealership or its affiliates, along with a copy of each form used to collect the information;
Oops.
4. A copy of the dealership's written information security program, and a statement of when it was written and implemented;
No problem — we 3-holed punched some NADA Guide and stuck it into a notebook, didn't we? I know the Guide said not to do that, but it's better than nothing, right?
5. A copy of each policy, manual or other written document that relates to the dealership's procedures and practices respecting the security of information, including, but not limited to, access to and the maintenance, retention and transmission of the information within the dealership and between the dealership and its affiliates and other entities;
Pass the Tums.
6. A description of or documents describing the security risks to the confidentiality and integrity of the dealership's customer information that the dealership identified in developing its security plan and a description of how the plan does and does not address each of these risks;
And the Maalox.
7. The name and title of the employee responsible for coordinating the dealership's information security program and all documents that record, concern or reflect policies, practices, procedures, instructions, and directions followed by that employee or that the employee is required to follow in coordinating the program.
Yikes! Call the lawyer!
We've said it before – the Federal Trade Commission, which is the federal regulator of car dealerships for a number of laws and regulations, including the privacy regulations, is the meanest cop in town when it comes to enforcement. Our bet is that the FTC will not be at all happy with the level of privacy compliance by car dealers, and that this "inquiry" will turn into a vigorous enforcement effort. The FTC staff is very knowledgeable, the federal government prints money so it won't run out of it, and the enforcement of privacy laws and regulations is a real "motherhood" issue. If you've been taking your privacy responsibilities lightly, better think again.
Copyright © 2003 Consumer Credit Compliance Company, LLC. All rights reserved.
This publication is designed to provide accurate and authoritative
information regarding the subject matter covered. It is provided with
the understanding that the publisher and editor are not engaged in
rendering legal counsel. If legal advice is required, the service of
a competent professional should be sought.
For more information about Thomas Hudson and Spot Delivery® go to www.spotdelivery.com or contact: tbhudson@hudco.com
Consumer Credit
Compliance Company, LLC
971 Corporate Boulevard
Suite 301
Linthicum, MD 21090
877.464.8326
410.684.6923 (fax)
. |
Past Issues
