Of Beach Houses and Safeguards

This is a serious article about a serious compliance topic. I promise.

I write this from a spacious beach house just steps from the summer-warm waters of Florida’s Gulf Coast. It feels like paradise.

This house’s 3,200 square feet are enough to accommodate 15 members of the extended Ganther Clan. It is a comfortable chaos fueled by Mexican beer and fresh fish tacos. My pants don’t fit, and my liver is ineligible for transplant. Like I said, paradise.

But if there is one smudge in this picture of paradise, it is this: Our view of the gulf is obstructed by an incredible but unoccupied seaside mansion.

I have no quarrel with the mansion itself. It is beautiful, clad in stone and capped with a high-pitched flush seam metal roof, ringed with glass-faced dormers from which the wealthy can observe both the beauty of the sea and the trailer trash who occupy the three-story rental behind their incredibly manicured back lawn.

Unable to contain my curiosity, I looked up the property on Zillow.com. Per that website, its estimated current value is $26 million. That’s just an estimate, of course. Public records indicate it was purchased in 2010 for $3.4 million. Twenty years earlier, the parcel sold for $1.5 million. And back in 1983, when the first recorded sale occurred, the land traded hands for $75,000.

The lesson here is clear: If you want Florida beachfront property, buy it 40 years ago. Keep this in mind. It will become important later.

Last month I had the good fortune to attend the National Independent Automobile Dealers Association (NIADA) convention and Expo in Las Vegas. While not as large as the NADA version, the NIADA show was hosted at the Wynn Hotel and Resort, which has its own charms.

NIADA invited attorneys from the Federal Trade Commission (Staff Attorney Dan Dwyer) to address its members in two sessions. I attended both. Each quickly morphed from prepared remarks to open-mic.

To their credit, the government attorney was as candid as his marching orders allowed. After the mandatory caveats (“These are my comments and not those of the Commission…”) he gave meaningful answers to the questions posed from the floor.

One of my questions was this: June 9 has come and gone, and we have seen no perp walks for failure to comply with the revised Safeguards Rule. Does this mean there will be no enforcement?

Dan Dwyer’s answer was emphatic: Do not confuse the lack of perp walks with inaction on the part of the FTC. Enforcement actions take up to a year from the time they start to the time you hear about it in the news. You may assume this new rule will be vigorously enforced. And I do not mean onesie, twosy enforcement. Think “sweeps.” You’ve all seen our sweeps in the past, where numerous businesses were cited at the same time. Expect that with respect to the Safeguards Rule. And those sweeps will not be limited to just the automobile industry.

Message received.

When an enforcement action begins, it usually starts with a Civil Investigation Demand, or CID. A CID in this case will likely start with, “Please provide a copy of your Written Information Security Program (WISP).” And if you don’t have one, your fate is pretty much sealed. Once a CID arrives at your store, it’s too late to go back and create one.

All of which leads us back to the lesson of Florida beachfront property: The best time to get it is in the past. So it is with a WISP. The best time to get one is last year. The second-best time is today. Tomorrow may be too late.

James Ganther is president of Mosaic Compliance Services.

Originally posted on Auto Dealer Today