The Gramm Leach Bliley Act “Seeks to protect consumer's financial privacy.” Also: PATRIOT Act, OFAC, 8300, Regulations Z&M, Telephone Sales Rules & CAN SPAMM

The Financial Privacy Rule governs the collection and disclosure of customer personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, that receive such information (i.e., third party providers).

*The Safeguards Rule requires all financial institutions (automotive dealerships included) to design, implement, and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.

The Privacy Statement is a “Legal Time Bomb.” you are required to have one, and it must contain the following statement (or one much like it):

“We restrict access to nonpublic personal information about you to those employees who need to know that information to provide products or services to you. We maintain physical, electronic and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.”

Enforcing the Privacy Promises: Federal Trade Commission Act 15 U.S.C. Part 41-58, as amended - Section 5 of the FTC Act: Using its authority under Section 5, which prohibits unfair or deceptive practices, the commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information. Worse yet are the implications for a civil suit from individuals when ID theft occurs and the dealership or institution cannot prove they have done all possible to protect customer information.

*Standards for Safeguards – NOTE: “This is risk management …"

Each financial institution (i.e., automotive dealerships) must develop, implement, and maintain a comprehensive information security program (ISP) that is written in readily accessible part(s); the program must contain administrative, technical, and physical safeguards that are appropriate to:

• The size and complexity of the financial institution;
• The nature and scope of its activities; and
• The sensitivity of its customer information.

Although the standard is flexible, the Rule sets forth certain required elements for ISPs. The required elements are:

• Designate one or more employees to coordinate its program.
• Assess risks to the security of customer information.
• Design and implement safeguards to address risks, and test and monitor their effectiveness over time.
• Oversee service providers (third-party providers.)
• Adjust the program to address developments & changes.

NOTE: This means each physical location must have its own ISP, and it must be kept current and its provisions tested.

We have a program to fit every budget and every organization. Call us for a no-obligation assessment and proposal to fit your organization's physical, technological, and procedural needs.

My passion is to ensure your organization's compliance and productivity.