Big Turnout for WANADA Safeguarding Workshop

Big Turnout for WANADA Safeguarding Workshop Dealers Learn How to Meet New FTC Requirements, Effective May 26

With a May 23, 2003 deadline fast approaching to meet strict new requirements of the Federal Trade Commissionês new Safeguarding Customer Information regulation, over 200 dealer principals, senior managers and dealer attorneys turned out last week for a special Safeguarding workshop conducted by WANADA and NADA at the Tysons Corner Marriott.

Participants got a step-by-step explanation of how to develop, implement and maintain a comprehensive written information security program to protect customer information required by the new rule.

The workshop featured top dealership legal and information technology experts, including NADA attorney Paul Metrey and attorney Michael Benoit, outside counsel to NADA. WANADA Counsel Allen Jones of Hamilton & Hamilton, LLP moderated the program, while Patrick Kavanaugh, Jonesê partner, and kindred line attorney member Michael Charapp joined Metrey and Benoit on a Q & A panel.

NADA recently sent to all dealer members A Dealer Guide to Safeguarding Customer Information that explains the new requirements, along with a template to assist members in developing their written information security program. Metrey and Benoit reviewed the guide at the workshop, which was taped by NADA for presentation to other state and metro dealer associations across the country.

NADAês guide provides a good road map for compliance and is a good starting point. But dealers should not assume that they can just put the dealershipês name on the template and have a plan in compliance with the regulations. Senior management must be involved in developing the plan, rolling it out and maintaining it. Professionals who provide services to the dealership and who understand the regulation and the paper flow in a dealership can be of great assistance in compliance.

Rule in a Nutshell

The new rule is the latest part of the Gramm-Leach-Bliley Privacy Act, which required financial institutions (including auto dealers) to advise consumers how their personal information would be used and to safeguard the information received. The FTCês first step was to require privacy notices advising customers how their personal information would be used. The next step is to require that dealers have a comprehensive written Information Security Program to safeguard customer information in place at the dealership by May 23, 2003.

The program must seek to protect the personal information of the dealershipês customers from identity thieves and other misuse. The program must:

àEnsure the security and confidentiality of customer information;

àProtect against any anticipated threats or hazards to the security and/or integrity of customer information; and

àProtect against unauthorized access to customer information that could result in substantial harm or inconvenience to any customer.

The program must also:

àDesignate employee(s) to coordinate the program;

àIdentify and assess risks for customer information in relevant areas of the company, and evaluate how current safeguards control these risks;

àDesign and implement customer information safeguards to control the risks identified through risk assessment and plans to monitor it;

àSelect service providers and require them, by contract, to implement the safeguards; and

àRegularly evaluate the program and adjust the program in light of the results of an audit, changes in business, changes in technology or other circumstances.

Violation of the FTC regulation can be punished by injunctive relief and civil penalties of up to $10,000 per day for each violation. Washington area dealers have an especially healthy respect for the enforcement of FTC rules, since the agency is located here. FTC agents frequently visit area dealers to check on compliance, so workshop participants wanted to make sure they were up-to-speed on the new safeguarding requirements.

Additional copies of A Dealer Guide to Safeguarding Customer Information are available from NADA Management Education. A Web download version in PDF format can be purchased from www.nada.org/mecatalog.