Safeguards and the Service Drive

There is a Safeguards Rule-related question I get asked so often that I think it worthwhile to answer it here – with any luck, I will never get asked it again. The question is this: Does the Safeguards Rule apply to the dealership’s service drive? The short an-swer is ‘Yes.’ The longer answer follows.

As a first principle, the Safeguards Rule applies to a certain type of entity, not specific departments within an entity 22 auto dealer today to which it applies. The entities to which the Safeguards Rule applies are “financial institutions.” When you hear the term “financial institution,” you think banks, credit unions, credit card companies and so on, and you would be correct.

But the definition of “financial institution” is more broad than the obvious. To quote the Rule:

Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U,S,C, 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

So now we turn to the Bank Holding Company Act of 1956 to see what, exactly, constitutes a “financial activity”:

(i) Lending, exchanging, transferring, investing for others, or safeguarding financial assets other than money or securities.

(ii) Providing any device or other instrumentality for transferring money or other financial assets.

(iii) Arranging, effecting, or facilitating financial transactions for the account of third parties.

Does originating retail installment sale contracts (RISCs) to finance the sale of motor vehicles sound like it fits within that definition? To quote Rowan & Martin’s Laugh-In, “You bet your sweet bippy.”

Safeguarding customer information – and the integrity of the dealership’s entire data environment – is an ongoing, overarching process that starts with an attitude of protect everything. To be effective, there must be no exceptions.

But wait, there’s more. The Rule itself calls out automobile dealerships as an example of a financial institution:

An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).

Note two things from the above. First, dealerships are almost certainly financial institutions subject to the Safeguards Rule (there is a narrow exception for dealerships that have fewer than 5,000 customer records). And second, the Rule applies to dealerships as institutions, not as departments. Which brings us back to the service drive.

The rationale I hear for the belief the Rule might not apply to a dealership’s activities in the service drive is that leases and RISCs are not generated in that department. That is both true and beside the point. The Safeguards Rule is not designed to (only) protect RISCs and leases, but to protect “customer information” generally. And that definition is quite broad:

Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

Of course, this definition requires us to find another one. What is “nonpublic personal information”? Per the Rule, it includes “Personally identifiable financial information.” Does your service drive accept credit cards or personal checks? Of course it does – and that means it handles or maintains customer information.

Let’s take this a step further and imagine a dealership whose service drive only accepts cash. Would the Safeguards Rule apply in that situation? Almost certainly. First, because the Rule applies to financial institutions, not departments of financial institutions. And second, because customer information can be accessed from the service drive. Does the service department have access to the dealership’s DMS? Of course it does, and that point of access must be protected.

Do service department employees have dealership email addresses? If so, the service drive represents a safeguards risk, as email-based malware attacks are a significant risk to the security of the dealership’s entire IT network – the mother lode of customer information.

To return to our short answer, yes, the Safeguards Rule applies to the service drive. At a minimum, employee training (including phishing awareness), multi-factor authentication, data encryption, continuous network endpoint monitoring, and access controls should be implemented in this area.

Why? Because safeguarding customer information – and the integrity of the dealership’s entire data environment – is an ongoing, overarching process that starts with an attitude of protect everything. To be effective, there must be no exceptions.

ABOUT THE AUTHOR: James Ganther is the president of Mosaic Compliance Services.