Pub. 18 2019-2020 Issue 2

N E W J E R S E Y C O A L I T I O N O F A U T O M O T I V E R E T A I L E R S 23 new jersey auto retailer W W W . N J C A R . O R G share their information with. Be warned - there are many varia- tions to the model Privacy Notice, so it is highly recommended dealers consult with their attorneys when adopting an informa- tion sharing policy. Recently settled FTC cases, such as the one with DealerBuilt earlier this year, serve as an additional cautionary tale. Dealers should be aware that marketing, advertising, F&I, CRM, and DMS providers should be referenced on a Privacy Notice. The Privacy Policy should also disclose the fact that Service Provid- ers or Marketing Entities are companies that will be obtaining the shared information, as indicated on the front of the Notice. Moreover, Dealer agreements should be read carefully to ensure that Service Providers and Marketing Companies maintain Information Security Policies and training for their employees. The Safeguards Rule The Safeguards Rule regulates financial institutions to ensure that customer information remains secure and protects custom- er information from unauthorized access, fraud, or misuse. As technology progresses and becomes more advanced, Internet and out of area sales for dealerships continue to increase, cre- ating a need to adjust the dealership’s Privacy and Information Security Programs (“ ISP ”). It is advisable to review whether your dealership has imple- mented all the requirements of the regulations in 2003; which includes: 1. Naming a Corporate Compliance Officer; 2. Docu- menting a written ISP; 3. Conducting Risk Assessments of the facility; 4. Training all employees; and 5. Conducting on-going training. In addition, dealers should know that the regulations require employee training ( annually at a minimum, quarterly to comply with the Safeguards Rule ). Online training platforms such as Compli or outside consultants can assist with maintaining such training requirements. The use of smart phones and technology in dealerships has also created new challenges when complying with the GLB Act. As mentioned earlier, the Safeguards Rule was enacted in 2003, when a cell phone did not have the capabilities of today’s smart phones. Consumers and customers are accustomed to the convenience of using the cameras and texting features of cell phones, which can capture and store non-public information. This can create significant liability when non-public informa- tion is placed on an employee’s personal device. Every dealer- ship should make sure their employees acknowledge and agree to the dealership’s information sharing policy. Locked offices, desks, and filing cabinets are obvious and traditional standards of the Safeguards Rule. However, the ongoing progression in technology has forced the FTC to increase the standards in its revised federal data security rules. The National Automobile Dealers Association (“ NADA ”) says small and midsize dealers will each have to spend hundreds of thousands of dollars initially and annually to comply with proposed changes to the FTC’s Safeguards Rule. Not to men- tion, according to an article published in Automotive News in September 2019, potential revisions to federal data security rules could add “billions of dollars in costs to U.S. auto dealer- ships in total.” As such, if your dealership’s ISP Binder is sitting on the shelf and you have not conducted your Annual Review/Training, it may be time to blow off the dust, make some adjustments, and train your employees. Could a paperless environment eliminate the potential threats of identity theft in dealerships? It has been an age-old battle trying to manage the paperwork that accumulates in the buy- ing process of an automobile. Many software companies have posed solutions – developing streamlined processes to help dealerships comply with the increased compliance burdens. F&I Departments have adopted a paperless delivery process, utilizing systems like Docu-Pad and electronic signatures. In addition, accounting offices utilize scanning companies, such as AutoTrieve ( an NJ CAR business partner) , to electronically store deal jackets, eliminating the need for storage of files and potential liability of loss. NJ CAR has also partnered with Dealer Safeguard Solutions (“ DSGSS ”), which offers a front-end compliance platform designed to streamline the sales process from handshake to F&I. This program provides an electronic deal jacket to capture the driver’s licenses, credit applications, and all paperwork generated prior to F&I. The system eliminates the liabilities of exposing non-public information in the showroom and protects non-public personal information, reducing the potential for Identity Theft. Ultimately, it is important to recognize the potential hazards our industry is facing with technology and data today. It is pos- sible that your dealership’s policies may not be up to date with the changing landscape of compliance caused by new advances in technology. Education, Training, and Oversight can effective- ly mitigate and reduce the liability of these simple, yet com- plicated rules. The FTC website, www.ftc.gov is an excellent source of information regarding all aspects of these regulations. NADA and NJ CAR are also reliable sources of information and provide training to assist dealerships with today’s compli- ance burdens. Judy Vann Karstadt is President of JV Solutions LLC. She teaches dealers how to efficiently implement the policies and training related to Privacy, Safeguards, Red Flags Rule and much more. She can be contacted at (732) 492-1818 or jvann592@gmail.com. As such, if your dealership’s ISP Binder is sitting on the shelf and you have not conducted your Annual Review/Training, it may be time to blow off the dust, make some adjustments, and train your employees.