During a recent business trip to the United Kingdom, I found it interesting that the restaurant servers would bring portable credit card readers to the table. I felt a little pressured to leave a tip with them standing beside me (until I found it was included) so I mentioned it to another customer. He laughed, and said, “yeah, back in the U.S., the servers leave with your credit card and steal all of your information before returning to your table don’t they?” We both chuckled, but it made me wonder if that was the purpose of the system. Have you seen the LifeLock commercials were the CEO is providing his personal social security number to millions of viewers? Identity theft has become so prevalent in the United States that millions of Americans are paying companies a monthly payment to services such as LifeLock who will guarantee to protect your identity. When I first heard of this type of service years ago, I thought that anyone who increases their monthly overhead for a preventive measure like this must have more money than sense. Then, my sister-in-law had her identity stolen, and I was able to see firsthand what a nightmare she experienced. My neighbor had some checks stolen from his mailbox, my co-worker had her identity stolen and the list goes on and on. It has hit so close to home that I’m taking preventive measures. In fact, according to the Federal Trade Commission, losses from identity theft cost billions of dollars to both individuals and businesses each year.
So what does this have to do with the powersports industry, you ask? Well, if you’re a dealer, you could have a lot at stake. I know this isn’t as fun as talking about the new ’09 models just released, but stay with me. Effective November 1, 2008, dealerships, retail outlets, lenders and other businesses who handle both customer and employee personal information will have to comply with the Safeguards Rule, which went into effect May 23, 2003, under the Graham-Leach Biley Act. So what does it mean to comply? And how can there be a hard deadline?
In order to be in compliance by November 1, dealers must have a written plan in place for securing data and responding to a security breach. According to the FTC website, the FTC is authorized by Congress to impose penalties of up to $11,000 per violation, per day. To try and make some sense of this formal talk, let’s translate this into our terms with a couple of quick examples:
Dealership A allows salespeople to keep track of their own customer paperwork. One salesperson continually leaves multiple credit applications and copies of customer driver’s licenses etc. out on his desk. Mr. Lowlife comes in looking at bikes. He sits down at the salespersons desk, and while waiting on the salesperson to retrieve a brochure, he decides to help himself to the credit applications that are blatantly lying around. He then uses the information to obtain lines of credit for everything from stereos to a new car. Eventually Mr. Lowlife is caught, and upon his arrest notifies authorities of the place of business whereby the information was obtained. Authorities notify the FTC, which launches an investigation only to find the very same salesperson (who never even knew the previous apps were stolen) with over 15 credit applications lying scattered about on his desk. That’s easy math at $11,000 per violation and could potentially cost dealership A $165,000 in fines.
Dealership B hires an office assistant to help the bookkeeper with tag-and-title work. As it turns out, the office assistant is crooked and is accessing both current and previous dealership personnel files, retrieving personal data and opening credit card accounts with their information. Eventually, the person is caught, but extensive damage has been done. The word spreads to a previous employee who was never contacted and has now had his personal credit ruined. An investigation is launched and the dealership is found guilty on two accounts.
The data was found in unlocked file cabinets with little supervision, and therefore was not legally secure.
Once a security breach happens, the business is required to respond or notify any and all possible victims. This could have been proactively completed with a quick letter, but wasn’t, due to a lack of understanding of the Safeguard Rules and Privacy Act.
In this example, the end verdict could have been $11,000 per violation with 10 or more victims, equaling $110,000 in dealership fines!
Now, you may be saying, “But I can’t control the actions of my people, how can I be held liable for their negligence?” To read the letter of the law, “It is improper to assess large settlements or awards against any employer that undertakes good faith efforts to comply with employment and discrimination laws” [U.S. Supreme Court ,1999].
So take action now to get your dealership in compliance, and have a written plan in place for securing data and responding to a security breach. This topic isn’t a fun part of the business, just as with the ATV age restrictions, yet it is serious.