The Industry's Leading Source For F&I, Sales And Technology

Compliance

Combating Electronic Threats: Don't Get Burned With Just A Firewall

March 2006, F&I and Showroom - Feature

by Alan Andreu - Also by this author

It’s probably fair to say that most dealers, by now, understand that they are required to protect their customers’ non-public personal information (NPI). This requirement, flowing from the Gramm-Leach-Bliley Act, is contained in the FTC Safeguards Rule (16 CFR 314) and became the law of the land May 23, 2003.

The FTC Safeguards Rule applies to “all financial institutions over which the Federal Trade Commission has jurisdiction.” Car dealerships that originate loans (which is to say, most car dealers) are under FTC jurisdiction, and therefore must comply with the Safeguards Rule. Any dealer who hasn’t been living under a rock for the past three years knows this much. What is less well known, however, is how to comply. And the greatest area of uncertainty seems to relate to computer security.

“Paper” security is almost self-explanatory: Keep documents containing NPI away from unauthorized personnel, third parties and customers. Lock file cabinets and office doors. Place document shredders in F&I offices and business offices. Locate fax machines on which credit apps are transmitted away from public access. Train dealership employees with respect to the Rule, and document that effort (an often overlooked requirement). And so on.

But computer security is not quite so intuitive, and the risks are far greater. To put this in economic perspective, consider that the potential FTC penalty for leaving one deal jacket in plain sight, unprotected, is $11,000. But the potential penalty for leaving a computer unprotected, with access to 15,000 customer files, is $165 million. In one recent case, the FTC assessed a $15 million fine against a company that failed to fully comply with the Safeguards Rule. Clearly, it is worth a dealer’s while to protect customers’ NPI stored in electronic format. But how does one do that?

Actually, it is easier than you might think, or fear. But first, one must understand how computers are used in the average dealership, how they work, and how a bad guy can exploit a network’s vulnerabilities to gain unauthorized access. Then, a dealer needs to know what the Safeguards Rule actually requires. Once that basic understanding is achieved, understanding how to protect your network becomes a manageable task.

There are two main types of computer systems at a car dealership: a dealership management system (DMS) and a dealership’s own network. A DMS is generally leased from a third-party vendor such as Reynolds and Reynolds or ADP, which combined are said to control more than 90 percent of the market. Other players include ARKONA, Proceed, UCS and EDS. A dealer’s network, on the other hand, is homegrown, unique and owned by the dealer.

Dealership computer systems have evolved rapidly over the last decade or so. Ten or 15 years ago, the dealership was run almost exclusively by the DMS. It controlled sales, service, parts, F&I, accounting and payroll. Those who needed access to it were given that access through a “dumb” terminal that alone didn’t have any processing power. There was virtually no access to the Internet or to any other computer, for that matter.

As information technology improved, dealer personnel needed access to processing power at their desks. Microsoft Word, Excel and other applications were needed. Dealers began to exchange dumb terminals with real computers with actual processing and networking capabilities. When individual computers, or “work stations,” are connected, either to a central server or to other work stations, a network is born. So today, many dealership computing functions are performed on a dealer’s own network, independent of the DMS.

Of course, dealers still need to access their DMS, so the DMS providers give dealers “terminal emulators,” such as ERA Link or Reflections. Terminal emulators permit dealer personnel to access the DMS from the convenience of their own networked computer.

The Internet then brought on a whole new set of connections. Dealers went online to apply for tags, register service contracts, do online menus, post their inventory, send credit applications to lenders, retrieve credit bureaus, get book values, generate Internet leads, communicate with the manufacturers, confirm driver’s licenses, pull tag information and a host of other online applications. But all of these new applications, while bringing function, also bring risk.

Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email: