By Kevin E. Timson, Esq., Bellavia Blatt, PC
Prior to closing a dealership transaction, buyers should identify all the improper practices exhibited by staff that will need to be corrected. Staff may often have a certain way of doing things that survived under the seller which are nonetheless at odds with the dealership’s legal obligations to customers. This is especially the case regarding consumer privacy issues related to customers purchasing vehicles on credit.
While a buyer purchasing dealership assets may not be responsible for the consumer-finance liabilities of the seller’s company, the buyer will still want to perform due diligence on what security practices need to be improved at the dealership to avoid any post-closing complications. This review is critical because under the FTC’s Safeguards Rule of the Gramm-Leach-Bliley Act (hereafter referred to as the “Rule”), dealerships are classified as “financial institutions,” all of whom must have specific procedures in place to protect such personal information.
The costs of violating the Rule are too great for a buyer to not have proper procedures in place post-closing. While the Rule does not specifically provide for remedies through private actions, consumers nationwide have brought negligence claims in state and federal courts citing the failure of businesses to meet their duties under the Rule.
Additionally, the FTC can hold violators responsible by issuing penalties of up to $42,530 per violation. The FTC has also reached settlements requiring businesses to notify customers of security breaches, damaging the reputation of these businesses in the process. By putting protections for customer data, a dealership buyer can avoid heavy fines and large settlements that may be brought on by consumer litigation and FTC enforcement actions.
Having a comprehensive plan in place for a newly purchased dealership is also important because the FTC has proposed updates to the Rule that contain more prescriptive requirements for dealerships on how to safeguard consumer information. To date, the FTC has largely left dealers to decide on the specific steps that make a safeguard reasonable or not. With proposed amendments to Rule made in the Spring and the comment period expiring in August, the FTC should be issuing amendments in the coming months that will require dealers to use specific commercially acceptable information security standards.
For now, it is important for buyers to know how their newly-purchased dealerships should comply with the current Rule. First and foremost, what information needs to be protected? Under the Rule, these dealerships must protect all non-public information that is personally identifiable to a specific customer.
This includes whether such information is in paper or electronic format and whether it is held by a dealership or by any other company controlled by the buyer. Such information can include social security numbers, phone numbers, emails, home addresses, credit scores, credit reports and other sensitive personal information.
However, other information might also be included. The Rule sets broad requirements on dealerships to protect against unauthorized access to any personally identifiable information that would result in substantial harm or inconvenience to customers — i.e., any information that could be damaging to customers if it got in the wrong hands must be protected.
Prior to closing a dealership purchase, a buyer should review the dealership’s information security program, a critical document that is required of dealerships under the Rule. The program should outline the administrative, physical and technical safeguards already in place. The buyer should also ensure post-closing that the dealership has a team of designated employees that will regularly assess reasonably foreseeable internal or external threats to the confidentiality and integrity of customer information.
Internal threats may come from a lack of awareness by employees in safeguarding customer information and inadvertently disclosing information to unauthorized outsiders. External threats may include attempted attacks or intrusions by hackers looking to profit off the sale of stolen personal data on customers. The buyer should ensure that the store’s safeguards are designed and implemented to best control these risks.
Having locks on doors and file cabinets and requiring users to have stronger passwords are some obvious protections that any store should have. More extensive safeguards acceptable to the FTC include software upgraded to the latest versions, established processes for handling, storing and disclosing customer information, continuous monitoring for attempted attacks on dealership servers and encryption used on transmitting and storing customer records.
Buyers need to pay particular attention to employee policies and training. Every information security program has a weakness, and it often is the employees who enter and manage customer information. Accordingly, it is critical for buyers to have proper employee procedures and training programs in place once the dealership transaction is consummated.
Procedures and training should help employees to identify “phishing” scams and certify when third parties are authorized to access customer data. All it takes is for one bad actor to call into the F&I manager posing as a DMS vendor to access the systems that hold the dealeship’s deal jackets, retail sales installment contracts and other records that may contain customer social security numbers, addresses, emails and phone numbers.
Speaking of vendors, the Rule also requires a buyer to have the dealership take reasonable steps to ensure that service providers have appropriate safeguards on personally identifiable customer information. Dealers taking on new stores should look at how a store’s lenders, cloud storage vendors and DMS providers safeguard customer information, as the dealer may also be liable for breaches that occur when these parties manage customer information on behalf of the store. All other vendors who come into contact with customer information should also provide appropriate safeguards. This includes document shredding companies, billing providers, direct marketing vendors and custodial services.
A buyer should also make sure that the store’s information security program includes a detailed written plan to respond to security breaches if and when they occur. Such a plan could involve having forensic consultants available to quickly diagnose a breach and close any vulnerabilities in the dealership’s IT system. The plan should also require senior management to have notices to customers ready if required by the FTC. Legal counsel should also be involved to confirm what specific actions the dealership must take to comply with the Safeguards rule and related state-level laws and regulations.
Lastly, the buyer should make sure that the store has periodically tested its IT system for vulnerabilities. A buyer should ask how often these tests are performed and get specific details on any past tests, their results, and the improvements that were made to the IT system in response to these results.
Buyers may benefit from having a security consultant review past incidents and responses that have occurred under the seller’s watch. In addition, buyers should make sure that the purchase agreement contains representations and warranties that attest to the safeguards that the seller has put in place to comply with the Rule. Buyer counsel can provide detailed language that provides for such representations and warranties.
With the millions of dollars typically spent on the blue-sky value of any given dealership, buyers need to protect their investment in the stores they purchase by identifying and planning for the risk that such goodwill might be eroded by an information security breach.
It is better to anticipate security risks prior to any sale so that the buyer can properly address them once the dealership is purchased. The change in ownership at a dealership provides the best time for a buyer to examine the store’s current information security program and implement the changes to this program necessary to comply with the Safeguards Rule and related state requirements.