Tag Archive | "privacy"

CFPB Proposes Implementation of Privacy Notice Exemption

WASHINGTON, D.C. — Last week, the Consumer Financial Protection Bureau (CFPB) proposed to implement an amendment to the Gramm-Leach-Biley Act (GLBA) that will grant certain financial institutions exemption from sending annual privacy notices to customers.

The GLBA generally requires financial institutions to send annual privacy notices to customers. Within the notices, institutions are required to describe whether and how customers’ nonpublic personal information is shared. If an institution does share customers’ NPI data with unaffiliated third parties in ways other than specified by the statute, then the institution is required to notify customers of their right to opt out of sharing and inform them on how to do so, according to a CFPB press release.

In December 2015, the GLBA was amended to exempt a financial institution from the requirements of the GLBA if it limits “its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer,” the press release stated.

Along with granting exemption, the proposed implementation of the December amendment would also establish deadlines for institutions resuming annual privacy notices if their practices change and cease to qualify for the exemption, according to the CFPB.

Implementation of the amendment would also allow financial institutions that qualify for GLBA exemption to post annual privacy notices online rather than deliver them to customers individually. “In light of this, the Bureau is proposing to also remove the alternative delivery method,” the CFPB press release stated.

Posted in Auto Industry NewsComments (0)

Privacy: None of Your Business?

Are privacy concerns part of your business? If not, they should be. Ignoring them can unnecessarily expose your agency, your reputation and your dealer clients to great harm. To begin with, it is necessary to understand NPI.

NPI is a common abbreviation for nonpublic personally identifiable financial information. Personally identifiable financial information, in turn, means any information a consumer provides in order to obtain a financial product or service from you, typically a loan application. Car dealers who extend credit or arrange financing or leasing have certain responsibilities with regard to safeguarding NPI.

NPI is commonly found in dealerships in credit applications, driver’s licenses, credit card numbers and credit reports, to name a few, and can be on paper or in computer files. Let’s take a closer look at the process and benefits of securing this information.

Leave No Stone Unturned

Let’s start at the top. Does your dealership have policies and procedures in place to address safeguarding NPI? What happens to the customer’s driver’s license while they are taking a test drive? Do they sit on your salesman’s desk or in his or her drawer? What about credit card numbers? Do they sit in an unsecured area when a customer wants to get a rental car?

Do all employees have “all access” to the dealership computer network where customers’ NPI is stored? Are secure passwords and authentication required to access NPI, and is there a suspension protocol after a certain number of unsuccessful attempts? What are your polices regarding paper records? Where are they stored and who has access to the storage area? Where do you store “dead deal” files? How about “closed deal” files? These files are filled with NPI. Where are they stored, how are they secured and who has access to them? What happens when you need to move these files within the dealership or to a different building? What are your policies and procedures to keep them secure? How many sets of keys are there to the secure room and who has those keys? What happens when your salesmen or managers get up to leave their desks? What is displayed on their screen and is the network secured before they leave their desks? What are your remote access policies?

The policies and procedures should be overseen by a compliance coordinator with authority to carry out the duties of the position and who reports to the general manager or dealer. Can your dealer clients say, in good faith — as required by the Safeguards Rule — that they maintain “physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”? Is there a training program in place so that existing employees and new hires are trained on the compliance issues, including the importance of securing NPI and protecting the business’ reputation?

When Disaster Strikes

One increasing risk of failing to secure NPI is a data breach or other security incident. In 2015 alone, there were almost 800 reported data breaches; many more go unreported. Each time a data breach happens, a business’ reputation suffers, money is lost and that business may come under strict regulatory scrutiny.

Have your dealers performed a risk assessment or security audit? Do you know if there are vulnerabilities in the process to taking, processing, storing and disposing of NPI? As previously mentioned, I would bet that your dealers’ sales desks and storage areas could be areas of concern as far as securing NPI goes. Is there a process for addressing any reports or discoveries of security vulnerabilities? Do you use industry standard methods to secure and monitor your network? Do you test your information security program regularly?

Does your business use outside service providers who have access to your customer’s NPI? For instance, do you use a contact management/business development system such as BDC or CRM which interfaces with your DMS? Can those other applications access NPI which you have stored in your DMS? Do you have a segmented network? Do you have contracts with written security expectations from the service provider? Do you oversee your service provider to verify they are compliant with your security expectations?

While it may be tempting to consider these ideas as something that will never happen to you or your clients, you should be aware of the consequences. Aside from the incalculable value of the loss of their customer’s goodwill, the FTC can seek civil penalties of $100,000 per violation against the business and $10,000 per violation against liable officers and directors. In addition to these civil sanctions, there can also be criminal penalties and claims of unfair trade practices. You may have heard of LifeLock, a company that specializes in identity theft prevention. LifeLock was recently penalized $100 million, in part because it failed to establish and maintain a comprehensive information security program. This is a company that is supposed to specialize in security! And that is a lot of zeros and a lot of reasons why compliance and privacy should have your undivided attention.

If you are reading this article, then you must know the importance of privacy rights and nonpublic personal information. Protecting privacy and customers’ NPI must be part of your business plan, now and for the future. As the old adage goes, no one plans to fail, but many fail to plan. While perhaps no system can be “bulletproof,” it makes good business sense to make reasonable efforts to protect yourself from the dangers of not securing customer privacy and NPI. Go out there and do all you can to protect yourself, your business and your dealer clients’ hard-earned goodwill and implement your security program!

Posted in IndustryComments (0)

Most Employees Would Refuse To Hand Over Facebook Passwords: Survey Says

Googling job candidates and checking out their social networks has become a standard part of many companies’ hiring process. This is especially important for small businesses, since your staffs are small, and every job is crucial. But lately everyone has been buzzing about what happens when companies go one step further and ask job applicants (as well as current employees) for their social media passwords.

Obviously this didn’t go over very well with the American worker. In a recent American Pulse survey, here’s what employees or job candidates said they would do if a business asked them to share their social media passwords:

  • 40.2 percent would either quit their jobs or withdraw their applications.
  • 16.1 percent would delete their social media pages.
  • 10.9 percent would share the passwords.
  • 10.5 percent would first edit their social media profiles, then hand over the passwords.
  • Why It Matters to Your Business: Seriously, bosses, why would you even go there? Looking at a candidate’s social media presence to see how professional it is is one thing, but asking for private passwords is an invasion of privacy. Would you turn over your social network passwords to a potential landlord or a banker? And be careful when checking a candidate’s social media profile, since rejecting a candidate based on what you find there could open you up to a lawsuit, if your rejection is based on a discriminatory reason.

    This article was written by Rieva Lesonsky and published in The Huffington Post.

Posted in Small Business TipsComments (0)

Supreme Court: Employers Allowed to Search Employees’ Text Messages

Employees better think twice about texting at work. In a unanimous decision, the Supreme Court today ruled that government employers can legally look at their employees’ text messages on government-issued devices, if the inspection has “a legitimate work-related purpose,” AOL Small Business reported

The court did not address the privacy rights of employees at private companies.

The case involved an Ontario, Calif., police officer, who had his pager examined after running over his text message limit. In the process, the department found that he had been sending sexually explicit messages to a mistress, and he sued over a violation of his privacy.

In their decision, the justices sided with the city, and noted that mobile devices have become so ubiquitous and generally affordable that employees should purchase their own for personal use.

Posted in Small Business TipsComments (0)