INDUSTRY
CORNER
Alleged Privacy Notice Violations
Overview of the Safeguards Rule
A Georgia dealership named in a recent Federal Trade Commission (FTC) complaint engages in the sale and financing of vehicles as well as the leasing of vehicles. Consequently, that dealership is subject to various provisions of both the FTC Act and the Privacy Rule. The dealership had a privacy notice, but the FTC referenced the failure to send, the format and the language when listing the charges. For background, the FTC Act, among other things, grants the FTC authority to regulate and enforce unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. The Privacy Rule is a regulation concerned with the collection and safekeeping of consumers’ personal private information. It derives from the Gramm-Leach-Bliley Act, often referred to as the Privacy Act. The FTC’s Privacy Rule requires financial institutions to provide the customer written notice of the kinds of information they collect, what they use it for, who they share it with and how they protect it. The rule further requires the institution to provide the customer an option to restrict sharing that information in some cases. The Georgia dealership allegedly failed to send annual privacy notices to its customers. The Privacy Rule includes provisions for both initial notices and annual notices. An initial notice must be provided to: Customer: An individual who becomes your customer, not later than when you establish a customer relationship. Consumer: A consumer, before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party other than as prescribed by law. An annual notice must be provided not less than annually during the continuation of the customer relationship. The FTC complaint also says the company failed to provide a mechanism by which consumers could opt out of information-sharing with nonaffiliated third parties, as required by the Privacy Rule. A common mechanism for providing an information-sharing opt out is the company’s privacy notice. The FTC has published model forms and detailed guidelines for the preparation of privacy notices. A company whose privacy notice is prepared in strict accordance with the model forms and guidelines is guaranteed a safe harbor defense as to the format of the notice. The Georgia dealership’s privacy notice, as exhibited in the complaint, does not adhere to the format of the model privacy notice forms published by the FTC. Irrespective of format, the content of the privacy notice must accurately reflect a company’s privacy and data security policies and practices. The dealership’s privacy notice included the following statements: “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard nonpublic personal information.” In the complaint, however, the FTC noted: “In truth and in fact, respondent did not implement reasonable and appropriate measures to protect consumers’ personal information from unauthorized access. Therefore, the representation set forth … was, and is, false or misleading”, thereby violating the FTC Act’s prohibitions of unfair or deceptive acts or practices. It bears repeating – the content of the privacy notice must accurately reflect a company’s privacy and data security policies and practices. In FTC commentary related to a separate privacy case, all financial institutions are encouraged to “review your privacy policy and double-check that what you promise – expressly or by implication – comports with your day-today practices. Like any other claim, what you say about how you handle information has to be truthful and backed up with solid proof… Simply put, promise only what you know for a fact you deliver.” If your dealership extends credit, arranges for or brokers credit, or leases vehicles on a non-operating basis, you are likely subject to the Privacy Rule and should be providing privacy notices in accordance with the rule. Privacy notices conforming to the FTC model forms are available through OIADA, your state association. The notices will be customized specifically for your dealership to reflect your stated policies and practices. If you have questions or would like more information, please contact the OIADA office at 405-232-2947 or 800-346-4232. Note: We are not attorneys. This article was prepared for informational purposes only. It has been made available with the understanding that neither ADR of Oklahoma nor OIADA is engaged in rendering legal advice. You are urged to contact legal counsel for its application to your operation.
The Safeguards Rule is one of several federal regulations concerned with the protection and safekeeping of consumers’ personal private information. Like the Privacy Rule, the Safeguards Rule derives from the Gramm-Leach-Bliley Act (GLB), often referred to as the Privacy Act. As implemented by the Federal Trade Commission (FTC), the Safeguards Rule is concerned with the physical security of privacy information. It requires financial institutions to develop, implement and maintain a comprehensive information security program. The program must be in written format and must contain administrative, technical and physical safeguards appropriate to the business. For purposes of the GLB, a “financial institution” includes businesses – such as car dealers – involved in the extension of credit or in activities related to the extension of credit, or that are involved in leasing vehicles. A Georgia dealership recently charged with violating the FTC’s Safeguards Rule allegedly “failed to implement reasonable security policies and procedures” by: • Failing to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. • Failing to design and implement information safeguards to control the risks to customer information and failing to regularly test and monitor them. • Failing to investigate, evaluate and adjust the information security program in light of known or identified risks. • Failing to develop, implement and maintain a comprehensive written information security program. • Failing to designate an employee to coordinate the company’s information security program. The stated objective of the Safeguards Rule is to protect consumers’ private information by requiring certain businesses to develop safeguards plans. If your dealership meets the definition of a “financial institution” – for example, if you lease cars or if you are involved in the financing of vehicles you sell – you are subject to the Safeguards Rule and are required to implement a safeguards plan. The objective of your safeguards plan is to define and document your dealership’s procedures for safeguarding, or physically securing and protecting, consumers’ personal private information. At a minimum, your safeguards plan will document: • The personal identifying information you collect. • How it is collected. • Where it is stored and how it is safeguarded while it is “active” – while the sale is in process. • Where it is stored and how it is safeguarded on a permanent basis. • How long the data is retained. • How the data is handled for disposal. • Employee security training and certifications. • Security threat and incident response plan. Your goal when preparing your safeguards plan is to develop a viable, workable set of written procedures that, when implemented, adequately secure the personal information you are privileged to access and ultimately afford your customers the privacy they are guaranteed under federal law. If you have questions about developing a safeguards plan for your dealership, please contact the OIADA staff at 405-232-2947 or 800346-4232. Note: We are not attorneys. This article was prepared for informational purposes only. It has been made available with the understanding that neither ADR of Oklahoma nor OIADA is engaged in rendering legal advice. You are urged to contact legal counsel for its application to your operation.
12
DEALER
NE_1112.indd 12
UPDATES
NOVEMBER/DECEMBER 2012
W W W. N E I A D A . C O M
10/17/12 9:17 AM