CONCERNING PROTECTION OF CUSTOMER INFORMATION
It is the policy of Faulkner Pontiac-Buick-GMC to take reasonable steps to protect the personal information of our customers. At a minimum, we will comply with the FTC Safeguards Rule, implementing the provisions of the Gramm-Leach-Bliley Act as they pertain to automobile dealerships.
The requirements of the Safeguards Rule, and our policy with respect to each, follow.
Faulkner Pontiac-Buick-GMC shall designate both a Compliance Officer and an Assistant Compliance Officer at each Faulkner Pontiac-Buick-GMC facility. Both the Compliance Officer and the Assistant Compliance Officer shall receive the same training (described below). In the event the Compliance Officer [at any given location] becomes unable or unwilling to continue serving in that capacity, the Assistant Compliance Officer shall assume the Compliance Officer’s duties until such time as a new Compliance Officer can be designated and trained. The Assistant Compliance Officer may be made the Compliance Officer, in which case a new Assistant Compliance Officer shall be designated and trained. It is the policy of Faulkner Pontiac-Buick-GMC to never be without a Compliance Officer.
The Compliance Officer shall be a management level employee of Faulkner Pontiac-Buick-GMC who has completed the requisite training and has never been convicted of a felony involving moral turpitude. The Compliance Officer must have the education, training and work experience necessary to reasonably be able to execute the duties of that office.
The Compliance Officer shall conduct a risk assessment following the natural flow of customer information both inside and outside the dealership premises. The risk assessment shall identify how information is obtained from customers, how it is recorded, how it is transmitted, used, stored and, ultimately, destroyed. For each of those stages in the information cycle, the risk assessment shall identify (i) how unauthorized access to the information might occur; (ii) what steps the dealership is currently taking to prevent such unauthorized access to customer information; and (iii) what steps could be taken to prevent unauthorized access to customer information.
The Compliance Officer shall be responsible for ensuring that site-specific safeguards are designed and implemented. The safeguards shall address, at a minimum, the following items:
(i) Creation of secure document areas and procedures;
(ii) Selection, training and management of personnel entitled to handle customer information;
(iii) Establishment of secure storage facilities for customer information; and
(iv) Secure written agreements or contract addenda from lenders and vendors who process confidential customer information affirming compliance with the Safeguards Rule.
The Compliance Officer shall ensure that the information safeguards are audited no less than once per quarter, and the results of those audits recorded and stored.
It is the policy of Faulkner Pontiac-Buick-GMC to contract only with outside vendors and lenders (collectively, “Service Providers”) that are capable of ensuring the security of our customers’ personal information. To achieve that end, all Service Providers doing business with Faulkner Pontiac-Buick-GMC shall be required to (i) describe in writing the procedures they have in place to ensure the security of our customers’ personal information; and (ii) execute and return contract addenda that obligate them to adequately protect our customers’ personal information.
Each Service Provider with which Faulkner Pontiac-Buick-GMC does business pursuant to an oral agreement shall, as a condition of continuing its relationship with Faulkner Pontiac-Buick-GMC, execute a written Safeguards Agreement obligating the Service Provider to adequately protect our customers’ personal information.
With the passage of time and the employee turnover normal to this industry, it is possible that elements of this policy may fall out of practice. This must not be allowed to happen. To prevent an erosion of the protection this policy seeks to create, the Compliance Officer shall conduct an audit no less than once per quarter to determine the continued effectiveness and implementation of this policy. In addition, an audit shall be conducted in the event a new computer network is installed, a breach of information security is detected, or other changed circumstance makes such an audit appropriate. The results of all such audits shall be recorded and stored.