The FTC's Safeguards Rule And Combating Identity Theft

Resources for monitoring fraudulent activity have been spread thin since the 2001 terrorist attacks. According to Donna Eide, a federal prosecutor, one third of the FBI was reassigned to monitoring terrorism activities after the 2001 attacks on the World Trade Center – the same one third was previously assigned to fraudulent activities. The increased duties and terrorist activity focus of the FBI means less attention is being given to fraudulent activity.

Further, where fraud is concerned, Ms. Eide indicated she rarely prosecutes a case that involves less than $100,000. It is rare that she prosecutes smaller cases because of prioritization. The courts seldom sentence white-collar criminals that have committed identity theft to a sufficient jail sentence to offer future deterrence. The courts abilities are restricted because of the overcrowding problem in our jails. The prosecutor chooses to expend time where it does the most good, in fighting battles where the court will impose a sufficient sentence to offer deterrence.

Dealerships seem to be an easy target of identity theft. This type of theft is usually conducted by someone working inside the dealership.

A Nissan dealership in the southwest recently had a finance manager commit fifty-two cases of identity theft within the store. The manager was substituting information from past customers with good credit for current customers with bad credit in order to secure financing for the current customers. The dealership incurred over a half million dollars in litigation costs associated with the theft.

Recently, a state government official was convicted of embezzling from a state retirement account. The individual had previously spent time in jail for fraud. After prison, the individual was hired by a dealership as a salesperson. While working as a salesperson, the individual secured a customer’s personal information to use as his own, and thus, obtained a job in government without the government office seeing his criminal history.

In April of 2003, a government agency conducted a sting operation at an Indianapolis dealership that resulted in the arrest of a dealership employee that was selling credit applications. The United States Attorney’s Office prosecuted him for stealing and selling over one hundred credit applications. The court sentenced him to ten months in jail. The dealership employee was a custodian.

Cases of fraud, specifically identity theft, have occurred at dealerships throughout the United States. Many examples can be found through doing a search on the Internet. When occurring, a lawsuit is usually lurking in the background as well as the potential for the FTC to conduct audits and assess fines for violations of the Safeguards Rule.

A dealership can reduce its risk and liability by taking measures to prevent identity theft from occurring. Credit applications can be sold for between $30 and $60, and depending on the quality of the applicant, as much as $500. Because there is a market for credit applications, and the information on them, dealerships should treat them as something of value. They should implement controls similar to those used to safeguard parts or cash such as restricting access to them and securing them. Further, they can embrace the FTC’s Safeguards Rule. In an age where technology has advanced to a stage that makes it easy for criminals to commit identity theft, dealerships must assume responsibility for the privacy and protection of information they collect from customers. The Safeguards Rule is a regulation that is long over due and is regulation that tells dealerships what they should have already been doing.

SAFEGUARDS RULE

The Federal Trade Commission’s (FTC’s) Safeguards Rule governs the safeguarding of non-public customer information:

Non-public customer information is defined in the rule as any information that a dealership is provided by a customer in conjunction with a financial transaction.

Whereas public customer information is defined as any information that is publicly available through a government organization, information that is widely distributed in media such as the phone book or the Internet, or any other information that is readily available to the public.

The Rule authorizes the FTC to impose fines upon dealerships for non-compliance. The maximum fine is $11,000 per day per occurrence, and the required compliance date was May 23, 2003. To keep the FTC from imposing a fine, dealerships must comply with the rule’s five elements:

(1) The dealership must assign a program coordinator to be responsible for overseeing compliance of the rule. The program coordinator must be a dealership employee or a board of dealership employees. Additionally, the coordinator should be someone that is in a position of authority, understands the operations of the various departments within the dealership and is able to carry out the responsibility of the position. Likely candidates include the controller, general manager, and finance director.

(2) The dealership must perform a risk assessment. The assessment should highlight the dealership’s policies and procedures that relate to the taking, processing, storing, and discarding of customer information. Additionally, the assessment must cover several functional areas of the dealership: employee training and management; information systems; and attacks, intrusions and other systems failures.

(3) The dealership must develop an information security program and document it in writing. The program should state the dealership’s policies regarding the taking, processing, storing and discarding of customer information. Additionally, it should cover any items described in the risk assessment and should meet three objectives: ensure the security and confidentiality of customer information, prevent anticipated threats or hazards to customer information and protect against the unauthorized access of customer information.

(4) The dealership must oversee its service providers. The dealership is responsible for its interaction with third parties, which have access to the dealership’s customer information whether directly or indirectly. (E.g., direct access occurs when the dealership faxes a credit application to a bank; indirect access occurs when the dealership gives its cleaning company access to a room that contains unsecured customer information).

(5) The dealership must update, maintain and train in relation to its information security program. Whenever there is a material change to the dealership’s operations, an update is mandated. Additionally, whenever there is a new interpretation of the rule by a court or other governmental agency, dealerships should review their programs for accuracy. Maintaining the program refers to ensuring that its policies are followed. Dealerships accomplish the maintaining portion of the rule by monitoring and testing the policies on a regular but periodic basis, documenting the results and enacting appropriate corrective action where deficiencies are noted. Dealerships accomplish training by holding initial training sessions to introduce the FTC’s rule and the dealership’s policies as stated in its information security program regarding the rule. Additionally, dealerships should offer annual training to increase awareness and update employees on changes to the dealership’s policies, and it should require new hires
to review the dealership’s information security program upon hiring.

Meeting the above elements requires an initial outlay of significant resources (i.e., someone’s time), and to ensure future compliance, a continual dedication of those resources. Many dealers originally decided to use internal resources to comply with the rule; however, they quickly realized those resources were not available because of lean operations. For these types of dealerships, an accounting firm, law firm, or consulting firm can provide the solution. For dealerships that have used internal resources to perform the initial requirements, a look from the outside can offer added security and help to fine tune a dealership’s program so as to further limit its liability.