Aggressive FTC Enforcement of Consumer Regulations Puts Pressure on Auto Dealerships

December 01, 2005 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

In case you haven’t noticed (and you probably haven’t), the Federal Trade Commission (FTC) has been very aggressive lately in enforcing consumer protection laws that apply to auto dealers. While some of the recent activity has been focused on other industries, it’s a trend worth noting. According to insiders, there is an army of people at the FTC doing things like reviewing on-line privacy policies and then cold-calling the relevant companies to see if reality matches up with the promises. Auto dealers are definitely on the FTC’s radar screen.

Recently, the FTC entered into a consent decree with DIRECTV that set an all-time record for the highest fine ever assessed in a consumer law enforcement proceeding, $5,335,000.00. The consent decree settled FTC charges that DIRECTV violated the FTC Telemarketing Sales Rule. Among other things, this Rule prohibits calls to persons on the FTC’s National “Do Not Call” Registry and limits abandonment of calls made by predictive dialing machines (97% of calls must have a live operator on the call within 2 seconds after the consumer answers). DIRECTV also settled similar charges with a number of states that maintain their own “do not call” lists for telemarketing purposes.

Under the FTC settlement, DIRECTV is also required to conduct due diligence and closely monitor any telemarketing firms it employs going forward as well as keep detailed records on how each new customer is solicited for service. It must submit detailed compliance reports to the FTC for a minimum of 3 years.

Five telemarketers that performed services for DIRECTV also settled with the FTC and paid fines of between $25,000 and $746,300. Two of these firms were put out of business by being unable to pay the fines. Seven additional telemarketing firms used by DIRECTV remain in litigation with the FTC.

In case you are wondering how the FTC came up with $5,335,000.00 as the amount of DIRECTV’s fine, it was reported that the FTC took the $11,000 maximum fine for each violation of the “deceptive trade practices” section of the FTC Act (in theory, each call is a separate violation) and multiplied the $11,000 by the number of days from when the calls first started until DIRECTV began serious settlement discussions with the FTC. The message is unmistakable that the FTC is getting serious about enforcing compliance with the Telemarketing Sales Rule.

It was a very bad week for DIRECTV. The FTC announcement followed by one day a separate announcement that DIRECTV had agreed to pay $5 million to settle a 22-state investigation into its marketing and advertising practices.

The FTC has also been exercising its muscle in regards to consumer data security. All dealers should know they are subject to the FTC’s Information Safeguards Rule and the Consumer Information Disposal Rule. These Rules require dealers to have a written consumer information security plan that describes how your dealership protects customer information. It must designate one or more employees to coordinate the safeguards. You must regularly monitor and test the plan, evaluating and adjusting it accordingly. Among the subjects that must be addressed are disposal of consumer information obtained from credit reports and, for all intents and purposes, disposal of personal consumer information generally. Shredding, electronic file deletion and the use of reputable supervised contractors to destroy the information are good practices.

Recently, the FTC brought and settled cases against DSW Shoes and BJ’s Wholesale Club for their lax security practices involving protection of consumer information. It is significant to note that neither DSW nor BJ’s are technically subject to the FTC Safeguards Rule and that both were sued for their security practices being a deceptive trade practice under the FTC Act. That’s the same law the FTC used to sue DIRECTV with its $11,000 per violation damage potential.

In chiding DSW and BJ’s, the FTC cited 6 specific shortcomings in their respective operations concerning safeguarding customer information. These may represent an insight into what the FTC considers minimum standards necessary to protect customer information access and security. The FTC went out of its way to state that many of the customers whose information was compromised from DSW and BJ’s ultimately had their identities stolen.

The 6 criticized practices were as follows:

1. Failing to encrypt consumer information in transmittal or storage.
2. Storing sensitive information when the company no longer had a business need to keep it.
3. Failing to use security measures to limit network access through wireless access points on the network.
4. Storing information in files that could be easily accessed using a commonly known default or user password.
5. Failing to limit the ability of in-store computers to connect to other in-store computers and corporate networks.
6. Failing to employ sufficient measures to detect unauthorized access to sensitive information.

Unfortunately, there is no “safe harbor” or “one size fits all” for data security practices necessary to comply with the Safeguards Rule. It is intended to be a flexible standard tied to the needs and sensitivities of each dealer. What is necessary for a multi-store conglomerate may not be necessary for a single store monoline. But putting procedures in place to secure information and establishing access logs for physical and electronic files would seem to be a minimum.

On the systems side, there are a variety of encryption technologies that may be affordable to meet your needs. Consult your IT professional. If your dealership accepts consumer applications over the Internet, you should make sure the data transmissions are encrypted and be aware that identity thieves use sophisticated “phishing” and “pharming” techniques to direct unsuspecting consumers unknowingly to look-alike sites from which their personal information is siphoned away. A product like DealerTrack’s WebsitePlus can help you securely obtain customer information over the Internet.

Large corporate data security breaches at companies like Bank of America, ChoicePoint, Marriott International and Ford Motor Company made headlines in 2005 and led to 22 states passing laws requiring notices to consumers if computerized personal information is wrongfully accessed. (See the November 15, 2005 Compliance Corner for a discussion of these laws). It is likely Congress will pass a database breach notice law sometime this year as well.

What you should know now is that regulators are taking compliance seriously and coming down hard on companies perceived to be lax in their policies and procedures. Forewarned is forearmed in the compliance arena so take the time to look at your own regulated activity—from data security to telemarketing—and make sure you have procedures in place to not become the next headline.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc. Compliance Corner is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity.

Originally published December, 2005

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

Identity Theft: Dealing with America’s Fastest-Growing Crime

December 01, 2005 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

Identity theft has been described as America’s fastest-growing crime. Over 9 million Americans were affected last year alone. If your dealership has not been involved in an identity theft claim then, for now, consider yourself lucky. Spending 10 minutes reading this article may ease the pain of a serious problem your dealership may experience in the near future.

Identity theft is the illegal use of someone’s means of identifi cation: it can be someone’s name, Social Security number, driver’s license, anything uniquely associated with another person. Identity theft rings can be very sophisticated. It has been conservatively estimated that identity thieves acquired (fi nanced) over 5,000 vehicles in the U.S. last year from dealers by using assumed aliases. The stakes for a dealership are therefore very high.

Take Identity Theft Claims Seriously
Home Depot learned about identity theft the hard way. A California consumer discovered his identity had been stolen when he applied to refi nance his mortgage and was turned down because of a low credit score. It turned out that someone in Virginia used his identity to make multiple applications for credit at Home Depot stores throughout the South, which lowered his credit score.

The consumer repeatedly requested Home Depot to stop pulling his credit reports but never got a response. Then he sued. Home Depot failed to show up for the hearing, and the judge ruled that the consumer was harmed by having to pay higher interest rates on credit and for damage to his reputation. The judge awarded the consumer $930,000 in damages, plus interest at 10% until Home Depot paid up. Home Depot sought to overturn the award, but the appeals court sided with the consumer. As of September 2005, the total award with interest was over $1.1 million.

So what should you do if one of your customers has had her or his identity stolen, or believes it has been compromised?

Situation #1: A Credit Report Contains a Fraud Alert
Under the new federal Fair and Accurate Credit Transactions (FACT) Act, consumers can place a fraud alert on their credit report if they believe they may be a victim of identity theft.

• An initial fraud alert stays on a credit report for 90 days and can be initiated by a phone call to any of the three national credit bureaus (each bureau notifi es the others to put fraud alerts on their fi les, too).
• Consumers also can place an extended fraud alert on their credit report for seven years by giving the credit bureaus an “identity theft report.” This consists of an affi davit about the known details of the identity theft, a copy of a police report, proof of the fi ler’s identity in the form of a passport or government-issued photo ID, and proof of residency during the time when the identity theft events took place.

If your dealership pulls a credit report that has an initial fraud alert, your staff must use reasonable policies and procedures to verify the identity of the person seeking credit. This could include requesting their driver’s license or originals of utility bills, or asking questions from their credit report that presumably only the real person would know (such as “What bank did you use in 1999?”).

Extended fraud alerts require your dealership to take extraordinary measures to ensure that you are actually dealing with the real consumer, not with an imposter. Specifi cally, your staff must positively identify the customer in person by requesting them to provide their passport and/or by calling them on the telephone number or other contact method designated in their extended fraud alert.

Failure to take appropriate steps to identify customers may open your business to an FTC charge of unfair or deceptive trade practices, where civil penalties may be levied up to $11,000 per violation. In addition, it is possible that an attorney could fi le a negligence or similar claim against your dealership.

Situation #2: Customer Identity May Have Been Stolen at Your Dealership If a consumer claims they were victimized by identity theft at your dealership in connection with an earlier transaction, a calm and deliberate response can save your dealership a great deal of aggravation later.

1. Establish proof of identity of the person making the claim by requesting a government-issued ID card or answers to questions from their transaction’s credit report that only the real person could answer.
2. Request from the person proof of their claim, such as a copy of a police report or other such offi cial documentation.
3. Document everything, from the time the consumer fi rst makes the claim until the situation is resolved.
4. Notify your dealership’s attorney.
5. Make copies of the deal fi le containing the consumer’s credit application and all business transaction records that are readily available to your dealership concerning the matter, such as credit reports, stips, etc.
6. Within 30 days of the consumer’s valid request, you must provide a copy of the records to the consumer or the law enforcement agency investigating the matter.

You may decline to provide copies of the records if, in good faith, you determine that the request for information is based on a misrepresentation of facts by the alleged victim. But before doing so, consult with your dealership’s attorney.

Review Your Dealership’s Information Security Program
It is always a good idea to conduct regular reviews of your dealership’s Information Security Program. Now may be a great time to re-familiarize yourself with the steps your program recommends for investigating claims of identity theft at your dealership. Reinforcing your dealership’s employee education on identity theft and ways to verify customer identity would be a good idea, too.

A new wrinkle was added this year when 22 states passed laws requiring businesses that maintain computerized databases of consumer information to personally notify each customer when their information has been wrongfully accessed. Compliance with such “identity theft notice” laws, in the form of an incident response procedure, should be an important addition to your dealership’s Information Security Program. In New York, for example, a court can award up to $150,000 in civil fi nes plus actual damages incurred by consumers (including “consequential fi nancial losses”) if a dealer knowingly fails to give the required notices. Check with your dealership’s attorney on how these laws may apply to your dealership records.

The Bottom Line
Identity theft claims should be taken seriously and investigated promptly. Be able to show that your dealership has a policy of effectively securing customer information and maintaining an audit log of employees who access consumer fi les. Doing so may be helpful in countering a claim that your dealership’s practices facilitated the theft of a consumer’s identity. Cooperating with law enforcement agencies when asked to do so may be helpful as well.

However you enforce your Information Security Program, just make sure you don’t take Home Depot’s approach, or you might wind up in a far-away courtroom trying to explain why you didn’t properly address America’s fastest-growing crime.

Originally published December 2005

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.