Author Archives | rwilson

Your Agency Is Phish Food

Your Agency Is Phish Food

For ice cream aficionados, “Phish Food” is the familiar name of a Ben and Jerry’s ice cream flavor which includes chocolate ice cream with gooey marshmallow swirls, caramel swirls, and fudge fish. Phish itself is a “jam band” featuring many different genres of music with extended improvisation and instrumentals. In the compliance space however, the term “phishing” takes on a much more sinister and less enjoyable meaning.

Generally speaking, phishing is a form of social engineering, which looks to take advantage of human psychology and, in particular, looks to create a sense of fear or
urgency to manipulate a  user into divulging confidential infor­­­­­­­ma­tion. Fre­quently, phishing takes the form of an email or text message, which seeks to prod a victim into revealing confidential information.

Unfortunately, your agency is a prime target. Read on to learn more about phishing and how to prevent it from undoing years of hard work.

Gone Phishing

One example of phishing is an email from an online service advising of a security alert requiring an immediate password change with a link to do so. The linked site looks identical to a legitimate site. When the link is clicked, the unsuspecting users enter their current credentials and new password. These items are then sent to the hacker, who will use them to hack into the company for whom the employee works. What many employers may not realize is that their own employees can create significant liability risk when they are not properly educated and trained to combat this insidious form of cyberattack.

Consider the following scenario: You are the CEO of your company and an employee in your payroll department receives a phishing email which appears to come from you asking for W-2 forms and payroll information of all current and former employees. Of course, you did not send that email. That email was sent by a phishing hacker. However, when your employee divulged all this confidential information to hackers, the net result was that an extremely costly class-action lawsuit was filed against your company for this data breach.

This scenario, or some similar variation, has been successfully deployed by hackers in several cases. Even Snapchat has reported that this type of phishing attack was successfully used against them. According to a 2017 IBM study the average cost of a data breach is $3.62 million!

Typical claims which are asserted against companies in these data breach cases, caused by employees, are for negligence in failing to train employees in data security, failing to maintain and update firewalls and phishing prevention software, and failing to maintain retention, safeguarding, and destruction protocols and policies and procedures for nonpublic personal information, including dates of birth, Social Security numbers, and bank account information, all of which can be gleaned from payroll records, among other sources.

Protect Yourself

What can be done to combat this threat? Well for starters, your payroll department should be instructed, in no uncertain terms, that they are not to divulge any payroll information without first having a face-to-face conversation with the CEO of the company!

More important, however, is the concept of having a compliance system in place to set expectations and policy on data security, training your employees, audit and, in regard to social engineering attacks like the phishing attack described above, to recognize the appeal to human psychology — typically using fear or greed to motivate security compromising conduct.

So the takeaway here is that data breaches and cybersecurity will continue to represent a growing threat to each and every business in America. As Equifax and other hacking targets continue to occupy the headlines, increased regulatory scrutiny will be focused on company responsibility for data security, company response timelines to data breaches, and the cost and remedies which companies should pay for regarding consumers whose NPI has been leaked. Remember, those affected could be at risk for the rest of their lifetimes!

While we can unequivocally recommend enjoying a pint of Phish Food while kicking back and listening to your favorite tunes, a much less relaxed approach is required to prevent your company from becoming tomorrow’s news headline regarding a data security/breach or phishing event.

DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without you retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney- client relationship is being created by your review or use of this material. ©2018 Robert J. Wilson

Posted in Featured Articles, Product & Technology0 Comments

Stay Safe: Your Choice of Service Providers Matters

Stay Safe: Your Choice of Service Providers Matters

Service, service providers and lip service are all connected. Starting with service, we all know the importance of service to our businesses. What are the qualities of good service? Value, trustworthiness, integrity and respect are good touchpoints. What is meant by the term “service provider”? Well, if you are a finance source, this is defined as “Any party that is permitted to access a financial institution’s customer information through the provision of services directly to the institution.”

Customer information is generally defined as any record containing nonpublic personal information (NPI), which means personally identifiable financial information (PIFI) and any list derived using PIFI. Does your dealership have any vendors who can access customer records containing NPI or any list derived from the use of NPI?

In a traditional dealership, the relationship looks like this:

Finance source <———>Dealer (service provider)

Dealers, in turn, have vendors of their own, which are service providers’ service providers (SPSP):

Finance Source———>Dealer (service provider)————>Dealer vendors (SPSP)

Some common dealer vendors (SPSPs) would include:

  • DMS
  • CMS
  • IT/cloud
  • Menu
  • Marketing (mailers/email)
  • TPA
  • Copiers

Each of these SPSPs most likely has access to the financial institution’s “customer information.” Under the Gramm-Leach-Bliley Act (GLB), finance sources are required to secure customer information through administrative, procedural and technical safeguards. If you look at the typical finance source contract that you signed, you will find some sort of compliance clause. They usually require you (the dealership) to comply with all applicable laws because the finance source can be liable if you (the dealership) fail to comply with the law. There are plenty of examples of this in the CFPB, FTC, class actions and even in state court actions brought by local attorneys general. So what can you do to protect yourself?

First, you should have a compliance management system (CMS) in place and, as part of that CMS, you should have written policies and procedures. What do your policies and procedures say about NPI? Is there a clear expectation for dealership personnel regarding privacy, passwords and securing desktops and computer screens? What due diligence have you performed in selecting your dealership vendors? For instance, do they have written cyber security policies, do they restrict access to NPI, do they have an incident response plan? Where is the hosted server which has the NPI stored? Is the physical facility secured? Does your contract with your dealership vendor set forth compliance expectations and penalties for noncompliance?

So the takeaway here is that there is much risk and it is up to you to manage that risk. Are you taking affirmative steps to safeguard your customer’s NPI, or are you merely giving lip service to say you have protections in place? Henry Ford once said, “Most people spend more time and energy going around problems than in trying to solve them.” What time and energy have you spent to safeguard your customer’s NPI in your shop and in your dealership vendor’s shops? If you don’t care about your client, why should your client care about you? Remember, if you don’t take care of your customers, someone else will!

Posted in F&I0 Comments

Neighbor Spoofing

Neighbor Spoofing

How many times have you received a call from the same area code as yours with the same first three-digit prefix as yours? Too many, right? This type of caller ID spoofing is known as “neighbor spoofing” and aims to make you think you are getting a call from a neighbor so that you are more likely to pick up the call.

In fact, the caller is deliberately falsifying the information that is sent to your caller ID display to disguise their true identity. This is typically done by a robocall, which when answered, transfers you to a person attempting to make some sort of sales pitch, although occasionally it is used by identity thieves. Last year, 2.5 billion robocalls were made each month!

On an NBC News expose, the interviewee sitting in studio stole the interviewer’s personal information, called his mother, and managed to get her to reveal her Social Security number by using caller ID spoofing to masquerade as her son.

Understandably, consumers are very irritated, angered and frightened by these tactics. This is the nature of some of the current threats facing consumers and businesses with consumer facing data. Can this happen in your clients’ dealerships?

End Users at Risk

Do the dealerships you serve have safeguards in place to prevent their customers’ nonpublic personal information (NPI) from being stolen, as mandated by the federal Safeguards Rule? Do they also protect customer information that is publicly available? Does their shop have sales worksheets, repair orders, parts slips, body shop estimates and CRM systems which are unsecured? Do any of these documents contain data such as your prospect or customer’s NPI or even unpublished telephone number or email address?

Part of the compliance responsibility is to understand the evolving nature of the threats to customers and to plan to address such threats before they happen. Caller ID spoofing is one type of identity threat — the name and telephone number of the real caller is concealed so you do not know whom you are really speaking with until you accept the call. The scenario where the person’s identity was stolen and used is, quite simply, identity theft.

So what lessons can be learned here?

First, we must accept that safeguarding customer’s NPI is of paramount importance. … But is this enough? There are many laws which seek to protect the consumer from these types of attack, but could they anticipate this new reality? Let’s take a closer look at four applicable regulations:

  • Under the Truth-in-Caller Act, a person is prohibited from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongfully obtain anything of value. Illegal spoofing is subject to a penalty of up to $10,000 per violation.
  • Using an automatic telephone dialing system (ATDS) to make telemarketing robocalls can also trigger other laws. For instance, under the Telephone Consumer Protection Act (TCPA), your dealers may not make telemarketing calls using an ATDS unless they have prior written consent from the consumer.
  • Under the CAN-SPAM Act, you cannot send marketing emails unless certain disclosures are accurately made, including the ability to opt out of receiving future marketing emails.
  • The Red Flags Rule instructs us to check for identity theft and to know with whom we are doing business. In the event of a violation of any of the foregoing acts, a UDAP claim will presumably be included, which will escalate any potential liability.

There is a lot of anger in the marketplace due to unscrupulous robo-spammers and what seems to be daily bombarding by robo-callers. Identity theft is rampant. Poor security practices and data breaches dominate the news. (I am looking at you, Equifax.) In fact, the Data Security and Breach Notification Act, which has just been proposed, suggests jail time for executives who fail to notify consumers of a breach.

So to paraphrase a certain movie: What are you going to do and who are you going to call?

Each of your dealer clients must have a complete compliance management system (CMS) in place. Each dealer should meet with their appointed chief compliance officer (CCO) and review the current “threat board.”

Do you need to revise your policies and procedures to meet the new threats? Does your sales staff accept, on faith, that they are talking with the person identified solely by the caller ID display on their phone? If you do any telemarketing, does it comply with the alphabet soup of laws designed to protect the consumer from unwanted spam messages?

You must take affirmative action to value and protect the relationship between your dealers and their customers, whether it be safeguarding their NPI against data breaches or not subjecting them to unwanted commercial spam messages. Failure is not an option here and if the Data Security and Breach Notification Act becomes law, such a failure could result in jail time.

Posted in Industry0 Comments

The Equifax Data Breach: A Compliance Lesson in Disguise

The Equifax Data Breach: A Compliance Lesson in Disguise

By now, the immensity of the Equifax data breach has started to sink into our collective consciousness … 142 million consumers, half of all Americans, have been adversely affected by the complete failure of Equifax to safeguard their nonpublic personal information (NPI). Keep in mind that those 143 million consumers are going to be adversely affected by the Equifax data breach for the rest of their lives!

So what does this mean for automotive dealerships? This is a compliance lesson, writ large, for all of the world to see. More specifically, this is an example of a compliance failure, the size and scope of which we have never seen before. Whether or not Equifax will survive this catastrophic event remains to be seen. Multiple class actions have been filed alleging the failure of Equifax to comply with the Fair Credit Reporting Act (FCRA), the failure of Equifax to comply with state data breach laws and negligence by reason of its failure, after previous security incidents, to take reasonable action under the circumstances. The dollar exposure of Equifax in these class actions will certainly be in the millions of dollars.

Facts reported in the news indicate that it took Equifax 143 days to discover the data breach and 40 days after the discovery of the breach to notify the affected individuals. State laws vary, but data breach notification acts typically require notice “without unreasonable delay” or “whenever it becomes aware” of the data breach or similar language. Undoubtedly, the length of the delay here was unreasonable and did not occur as soon as Equifax was aware of the data breach and Equifax will suffer the consequences.

In particular, the computer application that the hackers took advantage of was patched approximately two months before the Equifax attack occurred, and notice of this was available on the National Vulnerability database. This episode points to the inescapable conclusion that Equifax did not have a robust data security program in place (e.g. no regular checking for software/application updates, no regular monitoring of published vulnerabilities) and, certainly, had no plan of action for the possibility that a security event could occur (e.g. 40-day delay to figure out what to do).

A complete compliance management system (CMS) would require policies and procedures, training, audit and complaint management and would bring, at a minimum, a double failsafe approach to compliance —first via policies, then via training and, if both of those failed, through audit.

On the dealership floor, the impact of one in two customers suffering the consequences of this monumental data breach will be significant. In response to the Equifax data breach, many consumers have implemented credit freezes and/or have placed a fraud alert on their file. (Does your CMS address credit freezes and fraud alerts?)

If the hackers have gained access to the consumer’s credit information, then there is the possibility of unauthorized charges on the consumers account which will need to be investigated and there will be an increased urgency to ensure that the consumer is actually the person they represent themselves to be. This means compliance with the Red Flags Rule will become even more critical.

What is the takeaway here? Implementation of a complete CMS will be even more critical to protect your customers and reputation. Going forward, fraud prevention and consumer protection will need even added attention from dealerships to avoid being dragged down with Equifax into the failed compliance whirlpool — or is it a cesspool?

DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without specific legal advice based upon your particular situation, jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material. © 2017 Robert J. Wilson

Posted in Industry0 Comments

Customer Retention and What Not to Do

Customer Retention and What Not to Do

Ask yourself whether the following fact scenario is true or false: Mrs. G and her husband come to a dealer seeking to trade two vehicles for two new cars. The dealership signed a document agreeing to add leather seats to one of the new cars.

When Mr. G called to ask about the leather seats, he was told that the dealership would not be installing them because it did not get a good deal on one of the trade-in vehicles. Mrs. G posted a negative comment on social media about this experience at the dealer. A dealer employee called Mrs. G and said that (1) the leather seats would not be installed until she removed the negative social media post and (2) that the dealership has nude photos of her. This employee said he would share the nude photos of Mrs. G with her husband if she did not remove the negative comment and also that he knew she was a teacher.

Pretty crazy, right? This is what was alleged in a lawsuit in Georgia.

Here is the second scenario: Mr. and Mrs. G go to purchase a new car. Mr. has a screenshot of credit pre-approval on his phone, saved in his photos. The salesperson asks to borrow the phone to show his manager, so Mr. G gives his phone to the employee. Mr. G’s phone was given to the dealership’s sales director, who found nude photos of Mrs. G on the phone and sent the photo to an email address for a swingers’ website. The sales director had an active profile on the swingers’ site. When Mr. G got his phone back, he noticed that a photo of his wife had been accessed. He then accessed his sent emails and saw that the photo had been emailed to the swingers’ website.

Again, these facts are what was alleged in a lawsuit in Dallas.

The mantra of customer retention seems even more urgent when conventional wisdom tells us it is much more expensive to acquire a new customer than to retain an old customer. While there is, admittedly, pressure on the dealership floor to make sales, how do you balance meeting sales goals while retaining customers?

Beyond Breach of Contract

Certainly, in the first scenario, the dealership entered into a written contract with its customer which it unilaterally breached by refusing to perform the leather installation. If this is where the story stopped, the fallout could include a breach of contract claim, perhaps an unfair trade practices claim and maybe a complaint with the local attorney general’s office. Obviously, attempting to use nude photos of the customer to coerce her to do something escalated this fact pattern from a breach of contract to something altogether different.

In the second scenario, had the sales manager not gone “fishing” into the stored photos on the customer’s phone, then presumably the sales transaction could have been completed without further incident. This conduct is so outrageous that it almost defies belief.

Each dealership should, of course, as part of its written policies and procedures, specifically set forth expectations of behavior, even for situations which seem self-evident. Privacy and nonpublic personal information (NPI) must be safeguarded, and certainly all customers should be treated with respect — if customer retention is the priority it should be.

So what is the takeaway here? Obviously, if a contract is entered into, both sides should honor its terms and if there is a question, counsel should be retained for review and analysis before any action is taken. While the first scenario only resulted in a suit against the local Georgia dealer, the second scenario resulted in a suit against both the Dallas dealer and Toyota Motors North America. Both dealers have shattered their reputations, and the second dealer may have jeopardized its relationship with its distributor.

The story does not mention any pre-employment screening which may or may not have been performed in the second scenario, but obviously this manager-level employee had significant judgment and decisionmaking deficits, beyond the moral issues. While compliance issues gather their fair share of headlines, ordinary contract and privacy issues can be just as damaging to the dealer’s wallet and, more importantly, reputation.

Just protecting NPI is no longer a good benchmark for dealerships. Recent headlines regarding the hacking of Sony Entertainment and even the hacking of the Democratic National Committee established that protecting all customer information is the new standard, NPI included. While protecting NPI is the regulatory standard, to preserve your reputation with your customers, dealers must take affirmative action to safeguard and keep all customer information secure — photographs, email addresses, telephone numbers, everything that is unique to the customer.

“Keeping it secure” is the new norm to maintain customers for life. Hands-on management requires scrutiny in screening employees, notifying employees of written expectations of conduct and behavior as well as periodic review. Boundary setting is considered the hallmark of good management, and these two scenarios prove this true.

Content in this article is intended for informational purposes only and should not be construed as legal advice, and should not be relied upon or acted upon without specific legal advice based upon your unique jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material.

Posted in Industry0 Comments

Compliance Management System or Compliance Training?

Compliance Management System or Compliance Training?

What is the important and significant difference between a compliance management system (CMS) and compliance training? Why is one preferable to the other in the compliance space for dealerships? A “system” has been defined as describing a set of connected parts forming a complex whole or an organized set of procedures by which something is done. The key concept centers on the “connectedness” of the components forming a larger set. “Training,” on the other hand, is defined as the action of teaching a particular skill or behavior.

The CFPB has said that they expect every large participant (including “nonbank,” i.e. auto finance companies) to have a CMS in place, not just training. Auto finance sources, in turn, require your dealers to implement a CMS in their stores. In the event a finance source discovers that a dealer has failed to implement a CMS, drastic measures are sure to follow. There is a popular misconception that “training = system,” rather than the more accurate description: “system > training.”

The Four Prongs

The CFPB has outlined at least four prongs, or interconnected parts, that form the larger whole of a CMS: policies and procedures, training, audit and complaint management. As you can see, training is just one component of a larger system of compliance, but it is not a “system” unto itself.

Many dealers are tempted to say they train their staff and consider themselves to be compliant. While there may be training, what happens if an issue arises in any of the other three prongs that the CFPB has identified as part of a CMS?

For instance, what if there is a question regarding written policies and procedures, or regarding a customer complaint or a question regarding an audit? What is the process to be followed? Who has supervisory responsibility? How can consistent, repeatable processes be followed?

The answer is that mere training is not enough. You need an interconnected system. Given the high turnover of employees and the lack of up-to-date information around the key areas of legal requirements that dealers face just to sell cars, a CMS is the only sure way to stay current and have consistent and repeatable compliance processes embedded in the dealer workflow.

One More System Won’t Hurt

Dealer workflow is no stranger to systems. The “S” in “DMS” stands for “system.” Sales of vehicles, ancillary products or parts and service are frequently tied into menu-selling systems. These systems integrate all the disparate items under one “roof” so all opportunities are fully and completely explored. Doesn’t it make sense to also use a system to integrate all compliance expectations and processes under one “roof”?

A CMS should serve to automate, making sure all employees receive lessons appropriate to their job duties. A CMS should generate reports regarding employees who have passed (or not passed) their training and the time required to do so. A CMS should establish consistent and repeatable processes to address problems and issues as they arise and can also serve to suggest revisiting procedures and training to lessen the likelihood of the same issue coming up repeatedly.

Why would a dealer consider implementing training rather than a complete CMS? The only answers that spring to mind are price or lack of knowledge. The old adage that if it is worth doing, it is worth doing well applies here. Training is a halfway (or perhaps even a 25%) solution to compliance. If you read any compliance headlines, you can easily see that the penalties are in the millions of dollars. Price should not realistically be a deciding factor.

After reading this article, you cannot claim a lack of knowledge of the difference between mere training and a complete compliance management system. Some of you may be familiar with the television and movie series “Star Trek.” If so, you are likely familiar with a villain named the Borg, which is collection of human/cyborgs linked together in a hive called the Collective. The Borg are known for several quotes and I would like to paraphrase one here: “Resistance is futile. You will comply.”

While I am not necessarily equating the CFPB with the Borg, compliance in some format is here to stay and best practices mandate that a complete system is needed to address this requirement. In the case of system versus training, the undisputed evidence favors system over training; there is no valid excuse or justification for adopting an incomplete compliance solution so go out there and get a complete compliance management system today!

Posted in Industry1 Comment