The Industry's Leading Source For F&I, Sales And Technology


Identifying the Enemy Within

August 2007, F&I and Showroom - Feature

by James Ganther

The fact that identity theft has been cited as the fastest-growing crime in the United States doesn’t bode well for automotive dealerships. Because of the nature and amount of nonpublic, personal information dealership employees collect in the course of delivering a vehicle, dealerships are a target for identity thieves. But what happens when that thief happens to be on the payroll?

A name, date of birth, and either an address or social security number are all an identity thief needs to get started. Much of that information can be obtained from a driver’s license, which is routinely collected and copied prior to a test drive. However, dealerships collect far more — and far more sensitive — information. Credit applications and reports containing account information can really make the job of a would-be ID thief much easier. Even completed F&I menus can be used to compromise a customer’s data security.

Once collected, all of this information is at risk until securely stored or destroyed. And the person with the easiest access to this nonpublic personal information is almost certainly a dealership employee.

Safeguards Rule: The Five Requirements

Implementing steps to prevent ID theft is a good place to start. In fact, it is a requirement set forth by the FTC Safeguards Rule. It says all “financial institutions,” including dealerships that arrange financing or leasing, are obligated to have a written customer information security program that addresses the five main areas listed below:

1. Appoint a program coordinator (commonly referred to as a compliance officer).

2. Conduct a risk assessment, including an assessment of the dealership’s computer networks and DMS.

3. Design and implement safeguards to address the risks identified in the risk assessment.

4. Oversee service providers, especially outside vendors who have access to nonpublic personal information of a dealership’s customers.

5. Periodically audit and revise the information security program.

Let’s consider a common fact pattern. A dealership employee has legitimate access to customers’ nonpublic personal information. Falling into temptation, the employee copies enough information to get a new credit card issued in the customer’s name. The employee goes on an Internet shopping spree, maxing out the card with charges for a new flat-panel HDTV, iPod, and a year’s supply of SlimFast meals. All deliveries go to a Mail Boxes Etc. address in a nearby town.

While watching football on the ill-gotten HDTV, the culprit orders two large pizzas from a local pizza place (the SlimFast apparently got old). Unfortunately for the ID thief, he gave away his home address when ordering the pizza, leading law enforcement to his door.

Now for the payoff question: What happens to the dealership? Like all true legal questions, the answer is “Well, that depends.” Not only will the dealership have to prove it had a satisfactory information security program in place, but it will also have to prove it trained the culprit whose behavior is frowned upon. If that’s the case, then the answer is “not much.” If the dealership can’t prove it did both, then the dealership better start warming up its checkbook.

Remedies and Repercussions

No individual aggrieved party can sue a dealership for violating the Safeguards Rule. That’s the FTC’s job. But the FTC has taken the position that failing to comply with the Safeguards Rule constitutes a deceptive trade practice, and aggrieved parties can sue for that. In fact, “deceptive trade practices” are among a plaintiff lawyer’s favorite words, right up there with “class action” and “punitive damages.”

Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email: