Author Archives | rwilson

Neighbor Spoofing

Neighbor Spoofing

How many times have you received a call from the same area code as yours with the same first three-digit prefix as yours? Too many, right? This type of caller ID spoofing is known as “neighbor spoofing” and aims to make you think you are getting a call from a neighbor so that you are more likely to pick up the call.

In fact, the caller is deliberately falsifying the information that is sent to your caller ID display to disguise their true identity. This is typically done by a robocall, which when answered, transfers you to a person attempting to make some sort of sales pitch, although occasionally it is used by identity thieves. Last year, 2.5 billion robocalls were made each month!

On an NBC News expose, the interviewee sitting in studio stole the interviewer’s personal information, called his mother, and managed to get her to reveal her Social Security number by using caller ID spoofing to masquerade as her son.

Understandably, consumers are very irritated, angered and frightened by these tactics. This is the nature of some of the current threats facing consumers and businesses with consumer facing data. Can this happen in your clients’ dealerships?

End Users at Risk

Do the dealerships you serve have safeguards in place to prevent their customers’ nonpublic personal information (NPI) from being stolen, as mandated by the federal Safeguards Rule? Do they also protect customer information that is publicly available? Does their shop have sales worksheets, repair orders, parts slips, body shop estimates and CRM systems which are unsecured? Do any of these documents contain data such as your prospect or customer’s NPI or even unpublished telephone number or email address?

Part of the compliance responsibility is to understand the evolving nature of the threats to customers and to plan to address such threats before they happen. Caller ID spoofing is one type of identity threat — the name and telephone number of the real caller is concealed so you do not know whom you are really speaking with until you accept the call. The scenario where the person’s identity was stolen and used is, quite simply, identity theft.

So what lessons can be learned here?

First, we must accept that safeguarding customer’s NPI is of paramount importance. … But is this enough? There are many laws which seek to protect the consumer from these types of attack, but could they anticipate this new reality? Let’s take a closer look at four applicable regulations:

  • Under the Truth-in-Caller Act, a person is prohibited from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongfully obtain anything of value. Illegal spoofing is subject to a penalty of up to $10,000 per violation.
  • Using an automatic telephone dialing system (ATDS) to make telemarketing robocalls can also trigger other laws. For instance, under the Telephone Consumer Protection Act (TCPA), your dealers may not make telemarketing calls using an ATDS unless they have prior written consent from the consumer.
  • Under the CAN-SPAM Act, you cannot send marketing emails unless certain disclosures are accurately made, including the ability to opt out of receiving future marketing emails.
  • The Red Flags Rule instructs us to check for identity theft and to know with whom we are doing business. In the event of a violation of any of the foregoing acts, a UDAP claim will presumably be included, which will escalate any potential liability.

There is a lot of anger in the marketplace due to unscrupulous robo-spammers and what seems to be daily bombarding by robo-callers. Identity theft is rampant. Poor security practices and data breaches dominate the news. (I am looking at you, Equifax.) In fact, the Data Security and Breach Notification Act, which has just been proposed, suggests jail time for executives who fail to notify consumers of a breach.

So to paraphrase a certain movie: What are you going to do and who are you going to call?

Each of your dealer clients must have a complete compliance management system (CMS) in place. Each dealer should meet with their appointed chief compliance officer (CCO) and review the current “threat board.”

Do you need to revise your policies and procedures to meet the new threats? Does your sales staff accept, on faith, that they are talking with the person identified solely by the caller ID display on their phone? If you do any telemarketing, does it comply with the alphabet soup of laws designed to protect the consumer from unwanted spam messages?

You must take affirmative action to value and protect the relationship between your dealers and their customers, whether it be safeguarding their NPI against data breaches or not subjecting them to unwanted commercial spam messages. Failure is not an option here and if the Data Security and Breach Notification Act becomes law, such a failure could result in jail time.

Posted in Featured Articles, Industry0 Comments

The Equifax Data Breach: A Compliance Lesson in Disguise

The Equifax Data Breach: A Compliance Lesson in Disguise

By now, the immensity of the Equifax data breach has started to sink into our collective consciousness … 142 million consumers, half of all Americans, have been adversely affected by the complete failure of Equifax to safeguard their nonpublic personal information (NPI). Keep in mind that those 143 million consumers are going to be adversely affected by the Equifax data breach for the rest of their lives!

So what does this mean for automotive dealerships? This is a compliance lesson, writ large, for all of the world to see. More specifically, this is an example of a compliance failure, the size and scope of which we have never seen before. Whether or not Equifax will survive this catastrophic event remains to be seen. Multiple class actions have been filed alleging the failure of Equifax to comply with the Fair Credit Reporting Act (FCRA), the failure of Equifax to comply with state data breach laws and negligence by reason of its failure, after previous security incidents, to take reasonable action under the circumstances. The dollar exposure of Equifax in these class actions will certainly be in the millions of dollars.

Facts reported in the news indicate that it took Equifax 143 days to discover the data breach and 40 days after the discovery of the breach to notify the affected individuals. State laws vary, but data breach notification acts typically require notice “without unreasonable delay” or “whenever it becomes aware” of the data breach or similar language. Undoubtedly, the length of the delay here was unreasonable and did not occur as soon as Equifax was aware of the data breach and Equifax will suffer the consequences.

In particular, the computer application that the hackers took advantage of was patched approximately two months before the Equifax attack occurred, and notice of this was available on the National Vulnerability database. This episode points to the inescapable conclusion that Equifax did not have a robust data security program in place (e.g. no regular checking for software/application updates, no regular monitoring of published vulnerabilities) and, certainly, had no plan of action for the possibility that a security event could occur (e.g. 40-day delay to figure out what to do).

A complete compliance management system (CMS) would require policies and procedures, training, audit and complaint management and would bring, at a minimum, a double failsafe approach to compliance —first via policies, then via training and, if both of those failed, through audit.

On the dealership floor, the impact of one in two customers suffering the consequences of this monumental data breach will be significant. In response to the Equifax data breach, many consumers have implemented credit freezes and/or have placed a fraud alert on their file. (Does your CMS address credit freezes and fraud alerts?)

If the hackers have gained access to the consumer’s credit information, then there is the possibility of unauthorized charges on the consumers account which will need to be investigated and there will be an increased urgency to ensure that the consumer is actually the person they represent themselves to be. This means compliance with the Red Flags Rule will become even more critical.

What is the takeaway here? Implementation of a complete CMS will be even more critical to protect your customers and reputation. Going forward, fraud prevention and consumer protection will need even added attention from dealerships to avoid being dragged down with Equifax into the failed compliance whirlpool — or is it a cesspool?

DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without specific legal advice based upon your particular situation, jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material. © 2017 Robert J. Wilson

Posted in Industry0 Comments

Customer Retention and What Not to Do

Customer Retention and What Not to Do

Ask yourself whether the following fact scenario is true or false: Mrs. G and her husband come to a dealer seeking to trade two vehicles for two new cars. The dealership signed a document agreeing to add leather seats to one of the new cars.

When Mr. G called to ask about the leather seats, he was told that the dealership would not be installing them because it did not get a good deal on one of the trade-in vehicles. Mrs. G posted a negative comment on social media about this experience at the dealer. A dealer employee called Mrs. G and said that (1) the leather seats would not be installed until she removed the negative social media post and (2) that the dealership has nude photos of her. This employee said he would share the nude photos of Mrs. G with her husband if she did not remove the negative comment and also that he knew she was a teacher.

Pretty crazy, right? This is what was alleged in a lawsuit in Georgia.

Here is the second scenario: Mr. and Mrs. G go to purchase a new car. Mr. has a screenshot of credit pre-approval on his phone, saved in his photos. The salesperson asks to borrow the phone to show his manager, so Mr. G gives his phone to the employee. Mr. G’s phone was given to the dealership’s sales director, who found nude photos of Mrs. G on the phone and sent the photo to an email address for a swingers’ website. The sales director had an active profile on the swingers’ site. When Mr. G got his phone back, he noticed that a photo of his wife had been accessed. He then accessed his sent emails and saw that the photo had been emailed to the swingers’ website.

Again, these facts are what was alleged in a lawsuit in Dallas.

The mantra of customer retention seems even more urgent when conventional wisdom tells us it is much more expensive to acquire a new customer than to retain an old customer. While there is, admittedly, pressure on the dealership floor to make sales, how do you balance meeting sales goals while retaining customers?

Beyond Breach of Contract

Certainly, in the first scenario, the dealership entered into a written contract with its customer which it unilaterally breached by refusing to perform the leather installation. If this is where the story stopped, the fallout could include a breach of contract claim, perhaps an unfair trade practices claim and maybe a complaint with the local attorney general’s office. Obviously, attempting to use nude photos of the customer to coerce her to do something escalated this fact pattern from a breach of contract to something altogether different.

In the second scenario, had the sales manager not gone “fishing” into the stored photos on the customer’s phone, then presumably the sales transaction could have been completed without further incident. This conduct is so outrageous that it almost defies belief.

Each dealership should, of course, as part of its written policies and procedures, specifically set forth expectations of behavior, even for situations which seem self-evident. Privacy and nonpublic personal information (NPI) must be safeguarded, and certainly all customers should be treated with respect — if customer retention is the priority it should be.

So what is the takeaway here? Obviously, if a contract is entered into, both sides should honor its terms and if there is a question, counsel should be retained for review and analysis before any action is taken. While the first scenario only resulted in a suit against the local Georgia dealer, the second scenario resulted in a suit against both the Dallas dealer and Toyota Motors North America. Both dealers have shattered their reputations, and the second dealer may have jeopardized its relationship with its distributor.

The story does not mention any pre-employment screening which may or may not have been performed in the second scenario, but obviously this manager-level employee had significant judgment and decisionmaking deficits, beyond the moral issues. While compliance issues gather their fair share of headlines, ordinary contract and privacy issues can be just as damaging to the dealer’s wallet and, more importantly, reputation.

Just protecting NPI is no longer a good benchmark for dealerships. Recent headlines regarding the hacking of Sony Entertainment and even the hacking of the Democratic National Committee established that protecting all customer information is the new standard, NPI included. While protecting NPI is the regulatory standard, to preserve your reputation with your customers, dealers must take affirmative action to safeguard and keep all customer information secure — photographs, email addresses, telephone numbers, everything that is unique to the customer.

“Keeping it secure” is the new norm to maintain customers for life. Hands-on management requires scrutiny in screening employees, notifying employees of written expectations of conduct and behavior as well as periodic review. Boundary setting is considered the hallmark of good management, and these two scenarios prove this true.

Content in this article is intended for informational purposes only and should not be construed as legal advice, and should not be relied upon or acted upon without specific legal advice based upon your unique jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material.

Posted in Industry0 Comments

Compliance Management System or Compliance Training?

Compliance Management System or Compliance Training?

What is the important and significant difference between a compliance management system (CMS) and compliance training? Why is one preferable to the other in the compliance space for dealerships? A “system” has been defined as describing a set of connected parts forming a complex whole or an organized set of procedures by which something is done. The key concept centers on the “connectedness” of the components forming a larger set. “Training,” on the other hand, is defined as the action of teaching a particular skill or behavior.

The CFPB has said that they expect every large participant (including “nonbank,” i.e. auto finance companies) to have a CMS in place, not just training. Auto finance sources, in turn, require your dealers to implement a CMS in their stores. In the event a finance source discovers that a dealer has failed to implement a CMS, drastic measures are sure to follow. There is a popular misconception that “training = system,” rather than the more accurate description: “system > training.”

The Four Prongs

The CFPB has outlined at least four prongs, or interconnected parts, that form the larger whole of a CMS: policies and procedures, training, audit and complaint management. As you can see, training is just one component of a larger system of compliance, but it is not a “system” unto itself.

Many dealers are tempted to say they train their staff and consider themselves to be compliant. While there may be training, what happens if an issue arises in any of the other three prongs that the CFPB has identified as part of a CMS?

For instance, what if there is a question regarding written policies and procedures, or regarding a customer complaint or a question regarding an audit? What is the process to be followed? Who has supervisory responsibility? How can consistent, repeatable processes be followed?

The answer is that mere training is not enough. You need an interconnected system. Given the high turnover of employees and the lack of up-to-date information around the key areas of legal requirements that dealers face just to sell cars, a CMS is the only sure way to stay current and have consistent and repeatable compliance processes embedded in the dealer workflow.

One More System Won’t Hurt

Dealer workflow is no stranger to systems. The “S” in “DMS” stands for “system.” Sales of vehicles, ancillary products or parts and service are frequently tied into menu-selling systems. These systems integrate all the disparate items under one “roof” so all opportunities are fully and completely explored. Doesn’t it make sense to also use a system to integrate all compliance expectations and processes under one “roof”?

A CMS should serve to automate, making sure all employees receive lessons appropriate to their job duties. A CMS should generate reports regarding employees who have passed (or not passed) their training and the time required to do so. A CMS should establish consistent and repeatable processes to address problems and issues as they arise and can also serve to suggest revisiting procedures and training to lessen the likelihood of the same issue coming up repeatedly.

Why would a dealer consider implementing training rather than a complete CMS? The only answers that spring to mind are price or lack of knowledge. The old adage that if it is worth doing, it is worth doing well applies here. Training is a halfway (or perhaps even a 25%) solution to compliance. If you read any compliance headlines, you can easily see that the penalties are in the millions of dollars. Price should not realistically be a deciding factor.

After reading this article, you cannot claim a lack of knowledge of the difference between mere training and a complete compliance management system. Some of you may be familiar with the television and movie series “Star Trek.” If so, you are likely familiar with a villain named the Borg, which is collection of human/cyborgs linked together in a hive called the Collective. The Borg are known for several quotes and I would like to paraphrase one here: “Resistance is futile. You will comply.”

While I am not necessarily equating the CFPB with the Borg, compliance in some format is here to stay and best practices mandate that a complete system is needed to address this requirement. In the case of system versus training, the undisputed evidence favors system over training; there is no valid excuse or justification for adopting an incomplete compliance solution so go out there and get a complete compliance management system today!

Posted in Industry1 Comment

Who Are You? Who? Who? Who? Who?

Who Are You? Who? Who? Who? Who?

If you are of a certain age, you will quickly recognize the refrain from the 1978 double platinum “Who Are You?” album by rock legends, The Who. While the song is about band member Pete Townsend getting questioned by the local men in blue after a bender, on the dealership floor, the question is more focused on getting to know the prospective buyer.

More specifically, your dealers need to know the identity of each buyer, and they need to know that the buyer is not an identity thief.

What we are talking about is, of course, the Red Flags rule. The Red Flags rule is designed to identify “red flags” or reasonably foreseeable risks of identity theft. The goal of the rule is the protection of customers who may be victims of identity theft, but it protects your dealer clients as well.

Red Flags and the CMS

Generally speaking, each dealership should have an identity theft program in place as part of a larger compliance management system (CMS), which consists of policies and procedures, training, auditing and complaint management.

The Red Flags rule requires an evaluation of certain risk factors such as alerts from consumer reporting agencies, presentation of identification documents which appear altered or do not match the physical appearance of the customer, unusual activity in the customer account (e.g. material change in the use of credit), among others.

From a practical perspective, there are at least two additional considerations. First, many, if not most, dealers outsource Red Flags compliance and then stop thinking about it. Have your dealers updated their policies and procedures to reflect the outsourced Red Flags process? Does their sales force check the red flags identified by the FTC? What is the procedure if a red flag is discovered? Reliance on third-party software may not be sufficient to comply with the rule if a comprehensive compliance process is not implemented.

Full Indemnity

The second practical consideration concerns vehicle financing. Most, if not all, larger indirect financing sources will require full indemnity and repurchase of any purchases obtained through identity fraud.

There is no insurance policy which will cover a loss caused by violating the law so, as a practical matter, your dealer will suffer a double loss in that they will need to pay back the bank and they will not have the vehicle. In addition, the FTC can impose a fine of $3,500 per violation in addition to seeking per-day penalties and UDAAP damages. The total financial cost of identity theft to the dealership can be substantial.

Dealers are increasingly relying on the internet to drive sales. Completing sales remotely creates a large identity theft risk because the ability to verify the customer’s identity is more difficult. The buyer can send a “Photoshopped” driver’s license via email, for example, or provide a fraudulent credit card.

So what is the takeaway here? Identifying red flags is required to protect against identify fraud, and having a good program in place will go a long way toward protecting both the customer and your business. You and your dealers need to take action to protect their reputations and preserve customer loyalty. You need to take action to keep the growing problem of identity theft out of your clients’ dealerships by verifying that the potential customer is exactly who he or she says they are.

As Pete Townsend says, you “really wanna know” who are you, Mr. Customer? Who? Who? Who? Who?

Posted in Industry0 Comments

Can I Get Your Number?

Can I Get Your Number?

Back in the old days, before the advent of modern communication such as Facetime, WhatsApp, Skype and many other platforms, the only real social media platform was the telephone. Asking someone for their phone number was a right of passage which either ended up in joy or disaster when you received (or did not receive) someone’s phone number.

Of course,  sometimes you might end up with a phone number that does not belong to the person, if you were asking Elaine in a “Seinfeld” episode. (How quaint, I know.) You might be asking yourself exactly what this trip down memory lane has to do with selling cars. Well, in 2017, the issue of express consent when asking for someone’s cell phone number continues to be very important, and agents can play a key role in keeping their dealers in compliance.

Match the Consent to the Message

The Telephone Consumer Protection Act (TCPA) generally prohibits a dealership employee from making a call (or sending a text) to a consumer’s mobile phone without their prior express consent (while using an automatic telephone dialing system or artificial or prerecorded voice). For purposes of this article, I am going to stick to the consent issue and not address autodialer-related issues. So what type of consent is required before calling a consumer’s cell phone?

The type of consent depends on the type of message. If the telephone call is not a telemarketing call but is purely informational, then only prior express consent is required. Examples of purely informational calls would be a school closing call, a fraud alert call or airline notification calls. If the call is a telemarketing call, then prior express written consent is required.

Telemarketing calls typically offer and market goods or services to consumers or seek to induce consumers to make a purchase of goods or services in the future. If the call is a mix of non-telemarketing and telemarketing, then prior express written consent is required. Some calls fall outside these two categories (i.e. purely informational or telemarketing) such as political calls (no more, please!), surveys or debt collection calls.

Assuming written consent is required, what sort of information should be considered for inclusion? Consider including the following:

  • The specific company to which consent is given
  • The consumer’s phone number
  • Clear evidence of consent
  • Clear and conspicuous disclosure that consent permits the seller to send telemarketing messages
  • Disclosure that the calls will be made with automatic telephone technology
  • Disclosure that consent is not required to purchase products or services
  • The customer’s electronic or written signature

What’s the Damage?

The TCPA provides for uncapped statutory damages of $500 per violation, which is tripled to $1,500 per violation for willful violations. There has been a large increase in TCPA actions, from 14 in 2007 to 3,710 in 2015. The lawsuits span many different industries due to the possibility of high class-action statutory damages and have included such notable companies as Twitter, CVS and the Buffalo Bills, to name a few. In Illinois, final approval has been given to a $75.5 million TCPA class-action suit against Capital One and its affiliates.

So what is the takeaway here? Compliance with the TCPA is necessary, and noncompliance can be very costly. Your dealers must obtain prior written consent before communicating any telemarketing message or text. They should also require all their service providers to be TCPA-compliant. If one of your dealers’ service providers violates the TCPA, the dealer can be vicariously liable.

Finally, consider an opt-out mechanism to allow your dealer clients’ customers to revoke consent from future telemarketing. Retain consent records for four years; this is the statute of limitations for TCPA actions. And keep in mind that if someone tells you their phone number is 867-5903, you can safely assume they do not want you to call them — unless their name is Tommy Tutone!

Posted in Industry0 Comments

Page 1 of 212