Auto Dealer Monthly Magazine is the daily operations publication serving the retail automotive industry. This automotive publication serves dealer principals, officers and general managers with the latest best practices.
Issue link: http://autodealermonthly.epubxp.com/i/117504
ers can prevent their information from being shared with third parties. Additionally, Franklin���s privacy notice misrepresented its data-protection practices because it did not implement reasonable safeguards to protect consumers��� information from unauthorized access over its P2P network. Second, Franklin allegedly violated the GLBA Safeguards Rule by failing to implement an information-security plan that contained reasonable safeguards to protect the confdentiality of customers��� information. Notably, Franklin allegedly failed to identify the foreseeable risks posed by P2P networks to consumers��� personal information or implement safeguards to control these risks. Without admitting any facts or liability, Franklin agreed to a consent order that prohibits misrepresenting its protection for the privacy and security of customers��� personal information or from violating any provision of the GLBA Safeguards and Privacy rules. Franklin also is required to implement an information security program; obtain initial and biennial third-party security audits for 20 years; send those audits to the FTC; maintain copies of compliance-related documents for fve years; and other remedial actions. Te consent order was f nalized in October 2012, and any failures to comply can result in f nes of $16,000 per violation. LESSONS LEARNED Dealers can take several proactive steps to minimize the risks identifed by the FTC. First, dealers should decide whether to permit P2P technology on their network and then determine whether any P2P applications are currently installed. Prohibiting the use of P2P technology and removing the applications is the best way to handle this risk, but dealers who permit P2P technology can implement other cost-efective safeguards to mitigate the risks of improper disclosure of f les containing personal information. Tese safeguards include: training employees about the risks and proper use of P2P technology, isolating P2P applications to computers without customers��� personal information, or encrypting customers��� personal information. Second, dealers should evaluate their information security program to ensure it is up to date and accurately refects the risks posed by dealers��� current business practices to the security of personal information. If P2P technology is on the network, it should be identifed and safeguards proposed to mitigate the risk to customers��� information. Te program should be continuously evaluated and amended as needed to refect changes in business operations or the shortfalls of present safeguards. T ird, dealers should assess their current privacy notice to ensure it accurately refects the organizations��� collection, use and protection of customers��� information. Te notice should be provided before initially collecting a customer���s personal information and annually thereafer. It also should contain an express opt-out provision that clearly explains how customers can prevent their information from being shared with third parties. Dealers who implement these steps can reduce the risks of an improper disclosure of their customers��� private information that might signifcantly harm the dealer���s goodwill and reputation and possibly trigger a burdensome FTC investigation. APRIL 2013 ��� AUTODE ALE R MONTHLY.COM 51