Violations of Your Information Safeguard Policy

Team VADA eViews
The Digital Newsletter of Your Virginia Automobile Dealers Association
April 2008
 
 
  • What do you do when customer information is compromised?
  • Consider notifying the authorities
  • Notify affected individuals
  • Consider whether the dealership is a victim
 
You have in place a strong Information Safeguard policy. You’ve trained your employees about the policy, and you regularly update it. When you learn that non-public personal information of a customer has been compromised, what do you do?
 

This is a common question because the FTC Information Safeguard Rule does not cover the steps to take in the event of a breach. However, there are several common sense things that you should do.

 

 
Consider notifying the authorities. 

When customer information has been misused, the dealer must always ask whether it is appropriate to notify the authorities. How serious was the activity? How much information was involved? What are the circumstances? When the breach involves activities that appear to pose significant threats of identity theft to the dealership’s customers, law enforcement authorities should be notified.

 

 
Update your safeguard policy. 

Was the misuse of non-public personal customer information a risk contemplated by the dealership’s information safeguard plan? If so, was it a failure of enforcement? Whenever there is suspected misuse of customer information, the dealership should review its information safeguard plan. If a risk was not covered, then that risk should be identified in the program. Means of preventing the misuse should also be strengthened.

 

 
Notify affected individuals. 
If non-public personal information of customers is misused, the dealership should notify those individuals potentially affected. Quite clearly, if law enforcement is involved you should check with law enforcement about the timing of notification so as to not adversely affect the investigation. Once it is clear that notification is appropriate, you should send a notice to the customer.
 

  • Describe clearly what you know about the incident.

     

  • Explain to the customer what responses they may want to take as a result of the information that has been compromised.

     

  • If law enforcement is involved provide contact information with the law enforcement agency.

     

  • Explain to the customer what steps the customer can take such as placing a fraud alert on his or her credit file and regularly checking the credit report for unknown transactions. 
 

The Federal Trade Commission has published a brochure concerning steps to take if a customer’s information is compromised that includes a model letter. This document is available at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.shtm.

 

 
Consider whether the dealership is a victim. 
Can the information that’s been compromised be used to victimize the dealership? Can the events assist an identity thief who will cause a loss to the dealership? The dealership must always consider whether it can become a victim of identity theft as a result of misuse of customer information and take steps to prevent the loss.
 
 
| |