This is by no means a complete tutorial on compliance. — You need to read and be familiar with the rules discussed, and interpret them for yourself, or contact an attorney for assistance.
The Federal Trade Commission’s guidelines for the Red Flags Rule includes this statement:
- Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
The Safeguards Rule of the Privacy Act has almost exactly the same wording.
What this means to you, as a Dealer, is that simply, you have to come up with a Plan, and put it in writing. You will need to identify and write down, some or all of the following:
- What we do to implement and monitor the rules.
- How we comply with the rule. >> Be specific.
- How we train employees to follow the rule.
- Which employees are affected by the rule.
- Sanctions or penalties to employees for violations.
- Where we store the records for our proof of compliance with the rule.
- Who is responsible for all this.
To be honest, your reading of the Rules could lead you to see something else you need to do.
A couple of those need further clarification:
WHAT WE DO TO COMPLY:
THis is not HOW you comply. This is a statement of your plan, and what steps you took, (or take) to implement your plan. This should include an Audit Plan.
HOW WE COMPLY WITH THE RULE:
Let’s get this straight: You simply saying that you are in compliance won’t cut it. Nor will just saying that your DMS program “handles it.” The DMS and its’ functions will need to be identified as a component of your plan, but the DMS by itself is not the plan.
HOW WE TRAIN EMPLOYEES:
Have some training materials done up with plain-English explanations of what the Rule means, and the specific responsibilities of each employee. Again, be specific. This can’t just be for show. Actually do a training session with the affected employees.
WHICH EMPLOYEES ARE AFFECTED:
Simply put, identify which people will need (and have received) training. It makes no sense to sit shop mechanics down for Red Flag Rules training, but cashiers will need this. Keep a log of when employees are hired, and when trained. Annual refreshers are a good idea, also.
WHO IS RESPONSIBLE:
This simply means that you appoint someone in authority (even if it is yourself) who is responsible for the implementation of the plan. If this person leaves, you must have a replacement.
It is YOUR responsibility as a Dealer to find out what is required, and understand what it all means.
The Safeguards Rules of the Privacy Act are complex. In my opinion, a lot was left up to interpretation or guesswork that could have better defined. That said, it’s not very difficult, it just requires some focus and understanding. For example, did you know that an unsecured wireless network is considered a violation of the Privacy Act? For this purpose, unsecured doesn’t just mean open wireless, it could also mean a secured wireless network with an easy password. This is a violation even if no one can prove that any unwanted people ever accessed the network.
Programs that allow file sharing can be a violation, even if the program did not have defined access to private information. Like the wireless, the violation is simply that a potential hazard to the information exists. Even something simple like credit applications or deal jackets left in a public area laying on a desk are a violation.
Point is, you have to step back and look intently and objectively at what is possible. Don’t discount anything. Always be on the cautious side if in doubt. It goes without saying that repeatedly locking and unlocking file cabinets throughout the day is tiresome and aggravating, but may be necessary.
If you post pictures and names to Facebook or just on your actual walls, make sure you have express permission from the customer to do it.
Remember that compliance is not a one-time thing. It is an ongoing process that needs to be as integral to your business as cleaning the cars out front.
If you need help or a starting point to go by, please contact me.