G-L-B Audits

Gramm-Leach-Bliley Act Customer Privacy Safeguards Rules And Compliance Audits

KILLGORE, PEARLMAN, STAMP, ORNSTEIN & SQUIRES, P.A.

ATTORNEYS AND COUNSELORS AT LAW

Killgore, Pearlman, Stamp, Ornstein & Squires, P.A
2 South Orange Avenue, 5th Floor
P.O. Box 1913
Orlando, Florida 32802-1913

Phone: (407) 425-1020
Fax: (407) 839-3635

WILLIAM J. DENIUS
CRAIG S. PEARLMAN 3
PHILIP S. KAPROW 1
T. GREY SQUIRES 2
FRANK H. KILLGORE 2
MARTIN F. STAMP 4
BRENDA J. NEWMAN
ERIK F. WHYNOT
MARK L. ORNSTEIN 2

  1. ALSO MEMBER OF CALIFORNIA BAR
  2. CERTIFIED CIRCUIT COURT MEDIATOR
  3. ALSO MEMBER OF DC & WEST VIRGINIA BAR
  4. ALSO MEMBER OF NEW YORK & TEXAS BAR

Sender's email address: mlornstein@kpsos.com

Dear Larry:

During our conversation of May 29, 2003, you inquired whether our firm could assist dealers in putting together privacy policies for their dealerships.

Please be advised that we have in the past and continue to perform on-site inspections of dealerships to assess strengths and weaknesses with regard to the treatment of all customer information.

Thereafter, we make recommendations with respect to correcting any shortcomings.

Further, we have created documents such as dealership privacy policies and employee agreements to keep on file with the privacy policies, as well as letters to third party vendors advising them to keep dealership customer information secure.

These documents are tailored to the needs of each individual dealership.

Finally, we provide dealers with a checklist at the commencement of our inspection so that they may continue to monitor and enforce their new and existing privacy policies.

Sincerely,

Mark L. Ornstein

407.425.1020
mlornstein@kpsos.com

MLO/lb


More information on the requirements of this new law is set forth below:

Gramm-Leach-Bliley II

New rule sets standards for safeguarding customer information.Step-by-step instructions for complying with Phase II of the Gramm-Leach-Bliley Act. Did you know that the feds consider car dealerships to be financial institutions in some cases?

The Federal Trade Commission has published a new rule that is an addition to the Gramm-Leach-Bliley Privacy Rule enacted two years ago.

It is the FTC's "Standards for Safeguarding Customer Information."

The Safeguards Rule requires dealers to develop, implement and maintain a comprehensive written customer information security program.

It also requires dealers to ensure that their affiliates and service providers maintain appropriate safeguards as well.

The final compliance date for the original Privacy Rule was July 1, 2001. The final compliance date for the Safeguards Rule was May 23, 2003.

The new rule has three main objectives:

  1. Insure the security and confidentiality of the dealership's customer information.
  2. Protect against any anticipated threats or hazards to the security and/or integrity of the dealership's customer information.
  3. Protect against unauthorized access to or use of the dealership's customer information that could result in substantial harm or inconvenience to any customer.

For purposes of the rule, "customer information" means any information about a customer of the dealership, or information the dealership receives about the customer of another financial institution, which can be directly or indirectly attributed to the customer.

Step-by-step procedure

The first step in the process of preparing a program is to designate a dealership employee as the coordinator for your program.

This should be someone familiar with dealership operations.

The next step in the process is to conduct a risk assessment.

You must identify reasonably foreseeable internal and external risks to the dealership with regard to customer information.

A detailed questionnaire could be completed by interviewing representatives from each of the various departments in your dealership.

They should be familiar with the operations and day-to-day activities as they relate to protecting your customer information.

The completed questionnaires should be maintained forever.

Using the information gathered during the interviews, a list of risks and threats to your customer information should be prepared.

Next, you need to design and implement a safeguard program to control the risks you've identified through the risk assessment.

As you develop your final written policies, be sure that you address all risks and threats identified during the assessment process and develop processes and policies to overcome them.

Once your policies have been written, you should establish a checklist that will act as your "to-do" list, documenting all of the actions you have completed or plan to complete during your efforts to create a program.

Remember that documenting as much of the process as possible is your best defense from having the FTC find you non-compliant with the regulations.

Employee training

After you have completed the preparation of your program, you are required to train all of your employees so that they understand the safeguard regulations as well as your specific dealership policies.

This should include an explanation of the FTC Rule, the elements involved in compliance, and an explanation and review of the custom designed dealership program.

In addition, the regulations require you to monitor and test your safeguards on a continuing basis and make adjustments to your program as necessary.

The regulations require that access to your computer applications be limited based on a need-to-know requirement for accessing customer information.

These safeguards may include secure data transmission lines, secure internet and e-mail transmissions, secure servers, up-to-date anti-virus software, adequate firewalls, back-up and recovery policies as well as system failure and contingency plans related to your computer information.

You need to assess any special considerations regarding your information systems, including network and software design, as well as information processing, storage, transmission and disposal.

You also should be able to detect and prevent any intrusions to your electronic and non-electronic information systems, or other information systems failures.

DSPs must be involved

The regulations provide that you must oversee your dealership systems providers.

This is accomplished by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for your customer information.

You may need a contract with your service providers to implement and maintain such safeguards.

The requirements of the federal regulations and the varied circumstances of each dealership are too complex to simply mechanically adopt a program without adapting it specifically to your dealership.

There may be matters upon which you are required to take additional action in order to comply with the regulations.

After the policies and procedures are in place, you will need to evaluate and adjust your program.

Self-testing and audits will provide adjustments to your program.

Changes to your business or operations will cause changes to be made to the program.

Any program cannot take all possible requirements into consideration.

Your diligent efforts will go a long way in determining how well you comply with the regulations.

For information on dealer compliance with the Fair And Accurate Credit Transactions Act: Click Here