In the evolving landscape of data privacy, laws have been enacted to shield the American consumer from fraud attempts. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was passed to control how financial institutions deal with individuals’ private information. Previously, GLBA requirements targeted financial institutions, but with the most recent update, auto dealers are also required to adhere to these guidelines.
Because auto dealerships often engage in financial transactions involving credit, loans and leases, they are now considered financial institutions and subject to GLBA requirements. In the following blog, we outline how these requirements affect auto dealers and, ultimately, protect consumers.
Why does this now apply to dealers?
As part of their normal business operations, auto dealerships collect significant personal information from their customers, including nonpublic personal information such as social security numbers, income, account numbers, credit histories and other data. However, before GLBA safeguards, there were no protections in place to protect consumers’ private information.
All this information is now protected under the GLBA, and auto dealerships must comply with the act’s provisions if they maintain customer information for over five thousand consumers.
How will this shift affect auto dealers?
Two rules directly provide guidance to auto dealers when discussing GLBA requirements: the Privacy Rule and the Safeguard Rule.
The Privacy Rule requires auto dealers to provide each consumer with a privacy notice once the consumer relationship is established and annually after that. This notice must explain what information is collected about the consumer, where that information is shared, how that information is used and most importantly, how that information is protected.
The Safeguards Rule further provides privacy protection by requiring auto dealers to have a written information security plan that describes the company’s preparation and plans to continue to protect clients’ nonpublic personal information. Section 314.4 of the Safeguard Rule identifies nine requirements that your company’s information security program must address:
- “Qualified” Information Security owner
- Risk assessments
- Information security program
- Vulnerability program management
- Security training
- Board & reporting oversight
- Monitoring
- Program maintenance
- Incident response plan
While designing the information security program, the Safeguard rule requires the company to implement technical guardrails as well, including:
- The performance of periodic access reviews to ensure that user rights are reasonable and appropriate
- Maintaining an inventory of data to know where sensitive data might reside and have proper safeguards around it
- Encryption of customer data from the initial intake of the data to its’ final resting place
- Evaluation of application security to ensure they are aligned with the information security program
- Implementation of multi-factor authentication for connections into the network and applications
- Securely disposing of customer data in a timely manner
- Maintenance of log and establish controls to monitor access to customer data
- Change management controls have been established
Steering Clear of Penalties
Compliance with the GLBA is not just about avoiding penalties. It is about building trust with customers and protecting the reputation of your business. Therefore, auto dealers should take it seriously and ensure they have the necessary systems, policies and procedures to comply with the GLBA.
Non-compliance can have serious consequences. According to the Federal Trade Commission (FTC), which enforces the GLBA, the penalties can include:
- Civil penalties: Companies that violate the GLBA may face fines of up to $100,000 for each violation.
- Officer and director penalties: Officers and directors of the company can be personally fined up to $10,000 for each violation.
- Imprisonment: In certain circumstances, non-compliance can also lead to imprisonment.
- Other penalties: Non-compliance can also lead to other penalties, including injunctive actions and damages for financial loss, humiliation, and embarrassment.
In addition, non-compliance with the GLBA can damage a company’s reputation, lose customer trust and potentially impact business operations.
The expansion of the GLBA to include auto dealerships marks a significant turn in the journey toward comprehensive data privacy protection. While the road to compliance may seem challenging, it’s an opportunity for auto dealerships to build trust with their customers, enhance their reputation and steer clear of penalties.
RKL’s team of IS assurance and advisory professionals can help your organization navigate the complexities of GLBA rules to stay on the right track. Contact your RKL advisor or reach out using the form below.
Join us for RKL’s Cyber Readiness Forum on May 8 at the Cork Factory Hotel in Lancaster. Cyber risks are complex and can come from any direction. Business leaders must understand their sources and impact to stay a step ahead. Register now to find out how you can take preventative measures: https://hubs.ly/Q02qfYXh0
