Providers, Administrators, and the Safeguards Rule

The Safeguards Rule went into effect on May 23, 2003, and brought with it a raft of new obligations for dealerships. Having lived through that event, I can attest to the consternation it caused. The Safeguards Rule applies to “financial institutions,” and dealerships, because they originate financing, fall within the definition of financial institution. Having to learn how to act like banks did not come easy to most of the industry.

Fortunately for providers and administrators, they do not originate financing and therefore are not considered financial institutions. Thus, the burdens of the Safeguards Rule do not fall upon your shoulders, right?

Wrong. 

The Safeguards Rule obligates dealerships to both follow its requirements and only use service providers that also follow the terms of the Safeguards Rule. What is a “service provider,” you ask? 

“Service provider” means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part. In other words, providers and administrators of service contacts, among others, by virtue or receiving customer data. Why is this important? Because dealerships are required to “Oversee service providers, by:

1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
2. Requiring your service providers by contract to implement and maintain such safeguards.”16 CFR 314.4(d)

In other words, dealerships may only do business with providers and administrators that follow the Safeguards Rule as well, at least to the extent appropriate for the data at issue.

While providers and administrators routinely receive, maintain, process and otherwise have access to customer information, it rarely involves such sensitive data as Social Security number, financial account numbers, or mother’s maiden name.

Yet even more mundane customer information can be misused to a customer’s detriment. Consider the following phone conversation:

Caller: Hello, Mr. John Smith?

Customer: This is he. 

Caller: Mr. Smith, this is Tom Jones from Oconomowoc Motors. You purchased a 2019 Queen Pea Family Truckster from us on Oct. 12 for $37,500, correct?

Customer: That’s right.

Caller: A routine audit of our records indicated that you were overcharged for the service contract you purchased in connection with that transaction. We intend to reimburse you $750, plus interest. If you just give us your bank account information, we will transfer that amount immediately.

All the information needed for an identity thief to “spoof” a customer and obtain the customer’s bank account information is typically part of the customer’s file held by the provider or administrator. 

At a practical level, what does this mean? What must providers and administrators do to comply with the Safeguards Rule? Essentially, what dealerships must do, providers must mirror. In a nutshell, those obligations are seven:

1. Conduct a risk assessment, specifically considering employee training and management, IT systems, and detecting, preventing, and responding to attacks or system failures.
2. Design and implement safeguards that address the risks identified.
3. Oversee your own service providers.
4. Evaluate and adjust your information security program in response to regular audits of its effectiveness and performance. 

Sound like a lot? It is, but it’s important. If a dealership’s service contract provider is not in compliance with the Safeguards Rule, the dealership is not in compliance, either. Putting your dealership clients in a position of legal peril is not a good business plan. Conversely, assuring your clients (and prospective clients) that you’ve thought this through for their protection can only help solidify your relationship.