FTC Issues GLBA Safeguard Rule FAQs: What Motor Vehicle Dealers Need to Know

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The FTC has issued FAQs for Gramm-Leach-Bliley Act (GLBA) Safeguards Rule compliance by Motor Vehicle Dealers.

Here is what you need to know:

Step 1: Are you a financial institution?

  • You are if you either finance (or facilitate the financing) of vehicles OR if you lease vehicles for more than 90 days.
  • If a dealership arranges or brokers a loan for a consumer, then it is in a “continuing relationship” with that consumer for purposes of safeguarding the customer information they provided to it.
  • It remains customer information even after the end of the customer relationship (e.g., if the dealership no longer holds the note) – in other words, the dealership must continue to protect customer information that it obtains from a customer, even if they are no longer a customer, for as long as it has that customer information in its possession.
  • Talk to your attorney to check if other activities you do qualify as “financing or facilitating financial activities or activities incidental to them.”

Step 2: Determine what customer information you have

  • This is information that identifies people that seek or are getting a financial product or service from you and develop a “continuing relationship’ with them.
  • You must secure information systems that contain customer information as well as those that are connected to a system containing customer information.

Step 3: Plan and implement your information security program around that

  • The more robust the data; the more employees – the more robust the plan should be.
  • Include administrative, technical, and physical safeguards that are appropriate for your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.

You need to do 10 basic things:

  • Designate a qualified individual to oversee.
  • Draft a written risk assessment.
  • Design and implement safeguards.
  • Regularly monitor and test.
  • Adopt policies and procedures to ensure (including training).
  • Oversee your service providers.
  • Keep your information security program current.
  • Create a written incident response plan.
  • Require your designated Qualified Individual to report to your Board (at least annually).
  • Notify FTC of breaches.

If a dealership discloses to an OEM name and address information together with information obtained in the financing process, that information is covered by the Privacy Rule, and you need to comply with the privacy notice and opt-out requirements of the Privacy Rule.

If you share information that individuals obtained financing, you must protect that information under the Safeguards Rule. Also, even if a particular record is not customer information, if the dealership keeps customer information on its network it needs to implement safeguards to protect its network generally. It would also have to oversee the OEM’s safeguards if it discloses that information to an OEM that is acting as a service provider.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Fox Rothschild LLP

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide