On June 7, 2012, the FTC announced that it had agreed on terms of a consent order with a Georgia Toyota dealer stemming from the dealer’s failure to maintain adequate control of its customer information as required by the FTC Safeguards Rule. The FTC charged that the dealer had violated its Safeguards obligations by having peer-to-peer (P2P) software onto its computer system. The effect of this, the FTC charged, was to open up much of the dealer’s computer data, including non-public personal information of consumers with whom the dealer had done business, to others on the file sharing network. The FTC charged that this violated the Safeguards Rule’s requirement to have in place protections against open availability of private customer information and that it was contrary to the privacy notice given by the dealer to customers which assured that it had such protections in place.
The consent order requires the dealer to follow specific compliance procedures for twenty years. Not only must the dealer put the revised Safeguards procedures in place, train its employees about them, and regularly monitor compliance, it must retain an outside certified expert to do an initial assessment and a follow up assessment every two years to be sure that the dealer’s process is being followed. Like all FTC consent orders, it is backed up by the FTC’s power to level civil penalties for violations.
The FTC consent order shows one important reason why dealers must protect non-public customer information – the law requires it. However, there is an equally compelling reason to do so – customer data is a valuable asset of your business. Your customer list is part of the six or seven figure goodwill value of your franchised dealership.
What lesson does this consent order provide to a dealer? Clearly, failing to protect the security of your computer data is a serious problem, but there is a broader lesson. The FTC Safeguards Rule requires that a motor vehicle dealer have in place a plan for safeguarding non-public personal information of its customers. That rule went into effect in 2003, and every dealer should have a plan in place. However, adopting a plan nearly a decade ago is not enough. When was the last time you evaluated the effectiveness of your plan?
The FTC Safeguards Rule requires that, from time to time, each business must evaluate its Safeguards plan and its compliance with it.
A dealer’s Safeguards system is only as good as its ability to respond to the latest threat. Whether it is P2P software, hacker threats, or simply lack of physical security for access to the computer or to hard files in the dealership, new threats can arise daily. That is why the FTC Safeguards Rule requires that a business conduct regular audits to determine the effectiveness of its policy and procedures. From time to time, a dealer must look at its Safeguards plan and the soundness of the plan is protecting against threats, what incidents may have occurred that require changes, what general dangers have been identified by others in the industry, what experiences dealership personnel have had that suggest amendment to the plan or procedures are necessary, or other problems.
Hopefully, all dealers have adopted a Safeguards compliance plan. But a dealer who does not regularly evaluate and revise its plan and procedures is not effectively safeguarding its customer data and its business. At least once per year, the dealer’s Safeguard’s coordinator should examine and test the effectiveness of the dealer’s Safeguards plan. And any review should be done immediately if there is an incident suggesting a flaw in the plan or in implementation of the plan.