Auto Dealer Monthly Magazine is the daily operations publication serving the retail automotive industry. This automotive publication serves dealer principals, officers and general managers with the latest best practices.
Issue link: http://autodealermonthly.epubxp.com/i/117504
By Mark A. Bross DE ALERSHIP OPER ATIONS ��ISTOCKPHOTO.COM/MACXEVER PEER-TO-PEER-TO-PUBLIC The FTC���s actions against a Georgia dealership offer several lessons for dealers who utilize P2P networks. Te Federal Trade Commission F ( (FTC (FTC) recently fnalized a sett tleme tlement and consent order with F Fran Franklin Budget Car Sales in S State Statesboro, Ga., over the deale ershi ership���s inadvertent disclosure f of customers��� personal information over a peer-to-peer (or ���P2P���) network. Under this settlement, Franklin is obligated to perform costly and burdensome remedial actions, such as biennial data security audits from independent third parties for the next 20 years. Auto dealers should note this settlement and assess their own informationcollection practices, as the risks identifed by the FTC can be proactively and cost-efectively mitigated. Franklin Budget Car Sales Inc., also doing business as Franklin Toyota/Scion, is a franchised auto dealership that sells vehicles, provides repair services and sells parts. Franklin also provides f nancial services to its customers and routinely collects customers��� personal information, including Social Security numbers, addresses, telephone Mark A. Bross is an attorney with the Boston-based firm of Adler Pollock & Sheehan P.C., where he concentrates his practice in civil litigation and has experience in the areas of complex commercial litigation, securities litigation, white collar defense, intellectual property, information privacy, and insurance/reinsurance. M.Bross@AutoDealerMonthly.com 50 AUTO DE ALE R MONTHLY ��� APRIL 2013 numbers, dates of birth, and drivers license numbers. Like other dealers, Franklin uses computer networks and the Internet to conduct business and collect consumer information. Te networks were used to obtain online credit applications and lead information, maintain automobile and payment records, and manage customers��� sales and F&I; records. When initially collecting customers��� private information, Franklin provided privacy notices stating that access was restricted to ���those employees who need to know��� and that its physical, electronic and procedural safeguards ���comply with federal regulations��� to guard personal information. COSTLY MISTAKE Te FTC alleged that Franklin misrepresented its data collection practices and failed to implement reasonable security measures to protect consumers��� personal information. Consequently, personal information for 95,000 consumers was made available over a P2P network, and could be viewed or downloaded by anyone with a compatible P2P application. Two notable defciencies were identifed: First, the FTC alleged that Franklin���s privacy notice violated the Gramm Leach Bliley Act (GLBA)���s Privacy Rule and Section 5 of the FTC Act. Allegedly, Franklin���s privacy notice was only provided during the initial collection of information and not updated annually. Franklin���s privacy notice also did not contain an opt-out clause explaining how consum-