The Red Flag Rules require a dealership to perform a risk analysis and implement a written Identity Theft Prevention Program ("ITPP") to detect, prevent and mitigate identity theft. It is not a "one size fits all" Rule. A dealer's ITPP must only be appropriate to the size and complexity of the dealership and the nature of its operations. The Red Flags Rule does not apply to cash sales, although if a customer pays more than $10,000 in cash, you must file an IRS/FINCEN Form 8300.
A Robust ITPP is Important.
The Red Flags Rule is designed to prevent your dealership from becoming a victim of identity fraud. Auto dealers are the losers when they finance a vehicle to an identity thief. Most lender agreements require the dealer to repurchase the contract with an identity thief, even if the customer has made several payments. The Red Flags Rule goes a step further. The Rule requires lenders to do periodic reviews of accounts in their portfolio (and written-off accounts) to attempt to detect and mitigate further identity theft. So more lenders will be examining delinquencies and written off accounts for identity theft. Instead of just writing these accounts off as credit losses as they did in the past, lenders may force dealers to repurchase accounts they identify as identity theft accounts such as sales to illegal immigrants, even if the identity thief has made payments for a period of time. This "back end" risk presents perhaps your biggest financial risk from identity theft. A good ITPP program will protect you, the dealer, more than anyone else.
The dealer's board of directors (or its highest governing authority) must approve the initial ITPP. A senior officer must be appointed to be the ITPP program manager ("Program Manager"), to be responsible for developing, overseeing, implementing, training and administering the ITPP, but the final responsibility will rest with the board of directors or the senior management team.
The Red Flags Rule requires a 4-step process to comply. The first step is to identify appropriate "red flags" for your ITPP. Red flags are patterns, practices or specific activities that indicate the possible existence of identity theft. The Red Flags Rule lists 26 potential red flags that you must consider for your ITPP, but many will not apply to auto dealers. The types of covered accounts a dealer originates (and for Buy-Here-Pay-Here dealers, the covered accounts it maintains), a dealership's individual experiences with identity theft and those of similarly situated dealerships, and appropriate regulatory guidance may be the best sources for determining your dealership's red flags. For example, red flags for accounts that are opened over the Internet (like eBay Motors) may differ from those accounts originated face-to-face at the dealership.
The second step of the Red Flags Rule is to employ procedures to detect the presence of any of your red flags in individual consumer credit transactions as well as business credit transactions you identify as posing identity theft risks. An electronic identity verification service can help you compare the customer's reported information to fraudulent databases and stolen Social Security numbers, among other red flags. Also it is important to examine personal IDs for tampering or counterfeiting and review credit reports for unusual patterns of recent activity or other irregularities.
The third step requires your ITPP to have steps to take when you identify red flags in customer transactions but cannot adequately clear them with the customer. Out-of-wallet or knowledge-based authentication questions that ask information that only the real person would know can help determine the legitimacy of the customer's identity. Out-of-wallet questions are available from electronic identity verification services. Escalate any remaining problems to the Program Manager and continue to question the customer until you are satisfied, one way or another. In August 2009, a dealer in Colorado was suspicious of a customer and questioned him during a test drive. The dealer declined to do business with the customer, who was later arrested in New York for possessing bomb-making materials and charged with planning a terrorist attack in New York City.
Fourth and finally, you must update your ITPP periodically based on your dealership's experiences and new information concerning identity theft from regulators and industry experts. Employees who perform program functions should prepare annual reports to the Program Manager concerning the ITPP's effectiveness and making suggestions for improvement. The Program Manager should then use these reports and other identity theft resources to make an annual report to your Board or senior management detailing the effectiveness of the ITPP and proposing material changes. Training of employees and oversight of service providers who have access to your customer's data are also critical tasks that the Red Flags Rule requires. Identity theft fraud to finance autos is on the rise. In 2007, only 4 percent of reported finance-related identity theft fraud involved auto financing. In 2008, auto-related fraud rose to 22 percent of reported identity theft finance fraud, and in 2009 overall new account identity fraud increased 17% and auto credit identity fraud rose to 29% of reported incidents. (Source: Identity Theft Resources Center). Many garage policies no longer cover identity theft losses or charge a substantial incremental premium to do so.
The FTC Address Discrepancy Rule
The FTC Identity Theft Address Discrepancy Rule (Address Discrepancy Rule') is a companion rule to the Red Flags Rule. It requires users of consumer reports who receive a notice of address discrepancy from a consumer reporting agency to have reasonable policies and procedures in place to form a reasonable belief that the consumer report relates to the consumer about whom the report was requested. Dealers who establish a continuing relationship with consumers for whom they have received a notice of address discrepancy and who routinely furnish information to consumer reporting agencies, must also reasonably confirm the accuracy of the address provided by such consumers and furnish the verified address to the consumer reporting agency that provided the notice.
The U.S. Treasury Department's Office of Foreign Assets Control ("OFAC") mandates that no U.S. person (including auto dealers) can do business with persons or entities included on its list of Specially Designated Nationals and Blocked Persons List ("SDN List'). These are lists of persons or entities suspected of being associated with or funding terrorist organizations and the list is frequently updated, making it difficult to check on your own. A credit bureau or electronic identity verification service can systematically check a customer against the current SDN List. You must run all of your customers - both cash and credit - against the SDN List. If you get a preliminary match, OFAC lists a series of several steps to determine if you have a true match or a false positive. If you believe you have a true match after following those steps, you must call OFAC at 800.540.6322, and you cannot do business with that person unless instructed otherwise. Penalties can include fines of up to $10 million, civil penalties of $1 million per violation, plus imprisonment for up to 30 years.
The FTC Safeguards Rule
The FTC Safeguards Rule requires auto dealers to ensure the security and confidentiality of their customers' personal information by using appropriate administrative, technical and physical safeguards. The Rule also requires auto dealers to take reasonable steps to ensure that affiliates and service providers safeguard the customer information provided to them. Under the Safeguards Rule, an auto dealer must develop and implement a written information security program that is appropriate to the dealership's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue (Information Security Program"). An Information Security Program must include certain basic elements to ensure that it addresses relevant aspects of a dealer's operations.
The Information Security Program must:
• Describe how the Information Security Program protects customer information - both in paper and electronic format - and protects against anticipated threats to information security;
• Assess the sufficiency of safeguards in place to control risks;
• Designate one or more employees to coordinate the safeguards;
• Identify and assess internal and external risks to its customer information; •
Design and implement information safeguards to control identified risks; and
• Include a data breach response plan for use in the event any consumer information is lost, stolen or compromised.
Dealers must regularly monitor and test their Information Security Program, evaluate its effectiveness and adjust it accordingly. Three critical areas to address are: 1) employee training and management; 2) information systems; and 3) detecting, preventing and responding to attacks, intrusions and systems failure. The FTC has also ruled that failing to have a defensible password security policy or permitting "weak" administrative passwords such as common words with no capitalization, numbers or symbols can constitute inadequate data security. The FTC also faulted a leading social networking provider for storing passwords in plain text emails.
Consumer information must be kept secure and confidential at all times and it is important to protect information from the moment it is received until the moment it is securely destroyed. A recent study by Michigan State University estimated that 51 percent of all identity thefts occur in the workplace, so tracking and monitoring the activity of dealership employees with respect to their access to customer information - in both printed and electronic form - is also important. The FTC has cited a failure to monitor system logs as another deficient security practice.
FTC Consumer Report Information and Records Disposal Rule
This Disposal Rule requires persons who maintain or otherwise possess consumer information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. For example, paper records should be shredded, burned or pulverized so the consumer information cannot be read.
Consumer information must also be destroyed or erased from electronic media so that the information cannot be read or reconstructed. For PCs, copiers and fax machines, this means not only deleting the information but wiping the hard drive clean, as deleted information can remain on the hard drives of these devices. The FTC has stated that consumer information should be retained only for the period during which it is actually needed, and then securely destroyed. Adopt and follow a strict consumer records retention policy. The Disposal Rule requires due diligence and supervision of a records disposal company as well. Records destruction procedures should be included as a part of a dealership's Information Security Program and followed systematically.
Also, the FCRA prohibits printing more than the last 5 digits of a credit or debit card account or the card's expiration date on any printed transaction receipt.
State Data Security Laws
States are enacting strict data security laws that apply to all organizations that maintain information about their residents as well. Massachusetts mandates that any entity that possesses personal information on Massachusetts residents must develop a comprehensive written information security program and adhere to a series of specific data security requirements, including strict user ID protocols, limiting information collected, and encrypting all personal information stored on laptops and portable devices or transmitted wirelessly or across public networks. Employee access must be limited and paper records must be locked up. Nevada also requires encryption when electronically transmitting any personal consumer or account information of Nevada residents and has effectively codified the Payment Card Institute Data Security Standard (PCI-DSS") for credit and debit card information and transactions. Minnesota and Washington make merchants who retain certain credit or debit card information (CVC numbers, debit PINs or magnetic stripe data) liable to card issuers for the cost of issuing replacement cards if there is a breach of security of the retained information. Other states are considering similar laws and regulations.
Social Security Number Protection Laws
States have passed laws restricting the use, communication, posting or mailing of Social Security numbers. Many of these state laws prohibit denying goods or services to a person who declines to give their Social Security number. Nineteen states, including California, New York and Pennsylvania, prohibit printing of Social Security numbers on ID cards. Twenty-two states prohibit communicating Social Security numbers to the public or posting or displaying them and 17 states prohibit mailing Social Security numbers within an envelope. Connecticut requires persons who collect Social Security numbers to create a privacy protection policy and post it on their website. Social Security numbers should be truncated in any printed form and be safeguarded in electronic and paper files. Encryption of Social Security numbers is a best practice for electronic records and mandatory in transmitting Social Security numbers over electronic networks such as the Internet.
Security Breach Notice Laws
Forty-six states, the District of Columbia and the City of New York have enacted laws requiring you to give notices to their residents in the event their personal information is compromised. These laws are not consistent in terms of what types of information breaches trigger the notice requirement; the timing, content and manner of giving notice; notices to give to government agencies, law enforcement, and credit bureaus; and penalties for failure to give notices in a timely manner. If your consumer information records (physical or electronic) are wrongfully accessed or used, you may be subject to different and conflicting notice requirements depending on where the affected consumers reside. Your Information Security Program should contain a security incident response plan containing procedures to identify and stop the breach, notify law enforcement and list requirements for data breach notices that comply with the state laws of where your customers are located. Federal legislation to provide for a uniform national form of breach notice and requiring two years of free quarterly credit card reports to victims has been introduced in the U.S. House of Representatives.
FTC Enforcement Activity
As noted above, the FTC has taken a very aggressive approach against companies with inadequate data security practices, by bringing enforcement actions under its sweeping "unfair or deceptive acts or practices" authority under Section 5 of the FTC Act as the hook. Among other things, the FTC has cited keeping sensitive information longer than it is needed, using commonly known default passwords, using P2P networks to transmit sensitive information, allowing wireless access to sensitive information and excessive file sharing as examples of security shortfalls. During the past year, the FTC brought and settled numerous enforcement actions against companies that did not have adequate data security programs in place. The FTC considers inadequate data security practices to be an "unfair trade practice" for which it can seek enforcement and oversight penalties along with monetary fines. Consent decrees entered into by the FTC have included 20 years of FTC oversight, biennial audit certifications by specialized security firms, monetary penalties that can total up to $16,000 per violation, and costly mandatory systems and operational upgrades. A senior FTC official stated that auto dealers "should treat consumer information as if it were cash."