Consumer Privacy in Auto Lending

Print Friendly, PDF & Email
Brien Joyce Vice President EFG Companies
Contributing Author:
Brien Joyce
Vice President
EFG Companies

Do you know someone who was affected by the Equifax data breach? How about the Verifone hack or, the breach within the Internal Revenue Service (IRS)? According to the Identity Theft Resource Center® (ITRC) and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.

A study of more than 10,000 consumers by Gemalto, a data security firm, stated 70 percent of consumers would stop doing business with a company if it experienced a data breach. And, 69 percent feel businesses don’t take security of consumer data very seriously.

As a lender, you’ve probably paid very close attention to your policies and practices when it comes to securing consumer data, especially as you’ve migrated your business model to a mostly digital platform. However, your dealer partners have not felt the same pressure to ensure their data compliance. After all, it’s only been in recent years that auto dealers have begun to take fuller advantage of the digital resources available to store their documents and manage their customer relationships.

So, here’s my question for you. If a data breach occurs within a dealership and all the consumers they sent your way were affected, does that look bad on you? After all, the consumer thinks of you as their lender, not the dealership. While they may have filled out the loan application in a dealership, they most likely consider you the source of truth for their information. If a consumer has their identity stolen from their loan application and they place blame on you and the dealership, what are you to do?

While the dealer may be legally liable, that negative impact to your brand directly affects your business. So, what can you do to better insulate your institution? Educate…educate…educate. Be an available resource for your partners. Ask the difficult questions and flag issues as soon as they arise. It’s likely that your partners don’t intend to place customer data at risk. They simply aren’t aware of the risk.

In retail automotive, dealers have been regulated on consumer privacy ever since the Gramm Leach Bliley Act was passed in 1999. Under Gramm-Leach Bliley, dealers are required to implement, and regularly audit, a written “Information Security Program,” to protect information about its customers. This is called the Safeguard Rule. However, in 1999, digital data breaches were not even a feasible consideration for most dealers.

To date, these “Information Security Programs” detailed how to physically secure private consumer data. It’s because of these programs that most F&I offices are locked, and F&I managers pay very close attention to make sure no private consumer information can be displayed on a desk or computer screen for anyone to see.

While these procedures are important, they now need to be augmented to incorporate every possible way a consumer data breach could occur. Our Vice President of Complaince, Steve Roennau, recently had the pleasure of interviewing Trevor Lain, the Founder of LexAlign, a Public Benefit Corporation that creates online apps for compliance, on how compliance has evolved to incorporate digital assets in the retail automotive space. In the interview, which you can find here, Trevor outlined questions lenders need to ask themselves when it comes to securing private consumer information:

  • Do your dealer partners have a written “Information Security Program” that includes procedures for each department that handles private consumer data, both digitally and physically?
  • Is that program based on their own security risk assessment?
    • Have they identified all reasonably foreseeable risks that could result in unauthorized disclosure or compromise of their consumer data?
    • Have they assessed the adequacy of the safeguards they have in place?
  • Do your dealership partners have a designated person responsible for customer information security, and is that person an employee with the authority to implement the program?
  • How are your dealership partners overseeing service providers that might have access to, or take possession of, customer information?
  • Do their agreements with their service providers require them to implement appropriate safeguards?
  • What are your dealership partners doing to protect customer information from the moment it is collected, all the way through to disposal?
  • Do your dealership partners have sufficient training, oversight, and procedures for securing private consumer data?

A good example of digital security that many dealers are not aware of has to do with the copy machine. Let’s say a sales person makes a copy of a driver’s license. The copier has electronic records of every piece of documentation that is scanned or copied on the machine. Is the hard drive on the copier encrypted, or protected by a passcode? Is it being wiped on a regular basis? What happens when the copier is put out to pasture? If the copier is leased, is there an agreement in place allowing the dealer to wipe or destroy the drive after the lease ends? If the copier is owned, are there written procedures in place to destroy the drive? These are the questions dealers need to answer for all their electronic records.

Now think of all the ways a Customer Relationship Management (CRM) program can be breached. Simply moving from a paper-only business model of the 80s and 90s to digital documentation has expanded the ways consumer data breaches can occur. This expansion will only increase in the coming years as dealers move to take better advantage of consumers’ digital buying habits. The best way to move forward in this digital era is to share your best practices with your dealer partners to help them continually update their compliance procedures.

Data security is a lender’s bailiwick. So take an opportunity to inform your partners. We’ll all be safer for the effort.