COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

Transcription

1 COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

2 COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE Mst dealers are familiar with the requirements f the Gramm-Leach-Bliley Act and the Federal Trade Cmmissin s (FTC) Privacy Rule, which bligate them t create and distribute Privacy Ntices t their custmers. What they may nt knw is that the FTC s Standards fr Safeguarding Custmer Infrmatin, mre cmmnly knwn as the Safeguards Rule, becmes effective n May 23, The bjectives f the Safeguards Rule are t insure the security and cnfidentiality f custmer infrmatin, prtect against any anticipated threats r hazards t the security and integrity f custmer infrmatin, and prtect against unauthrized access t r use f custmer infrmatin that culd result in substantial harm r incnvenience t a custmer. The FTC s Safeguards Rule des nt change the dealership s bligatins under the FTC s Privacy Rule. The Privacy Rule deals with hw financial institutins cllect and share infrmatin. Mtr vehicle dealerships are still required t prvide their custmers with a Privacy Ntice that advises the custmer abut the types f infrmatin the dealership cllects, the surces frm which the infrmatin may be btained and the dealership s plicies with respect t sharing that infrmatin. As yu may recall, in rder t fully cmply with the Gramm-Leach-Bliley Act and the FTC s Privacy Rule, mtr vehicle dealers were als required t make a statement abut their infrmatin safeguarding practices in their Privacy Ntices. As a result, mst dealership Privacy Ntices state we maintain physical, electrnic and prcedural safeguards t prtect the cnfidentiality and security f the infrmatin we cllect. Nw the Safeguards Rule mandates that dealers have a written dcument that specifies the steps they have taken t assess the types f risks that exist with respect t the infrmatin being btained by unauthrized individuals and t prtect the cnfidentiality and security f such infrmatin. Like the Privacy Rule, the Safeguards Rule applies nly t transactins invlving persns wh btain a financial prduct r service frm the dealership primarily fr persnal, family r husehld purpses. Althugh it is a gd idea t apply the same privacy plicies and infrmatin security standards t all f the infrmatin cllected by the dealership, it is nt required fr infrmatin abut cmpanies r individuals wh btain financial prducts r services fr business, cmmercial r agricultural purpses, unless the dealership s Privacy Ntice states therwise. Persnal infrmatin typically cllected frm custmers at the dealership includes their names, addresses, telephne numbers, birth dates and scial security numbers, infrmatin cntained in credit applicatins and credit reprts, infrmatin dealerships receive frm lenders, and even lists f the dealership s finance custmers. The FTC s Safeguards Rule specifically requires every dealer, regardless f the size f his dealership, t develp, implement and maintain a cmprehensive written infrmatin security plan that describes the dealership s prgram t prtect custmer infrmatin. It als requires them t ensure that affiliates f the dealership maintain apprpriate safeguards and that their service prviders are capable f maintaining apprpriate safeguards fr the custmer infrmatin the dealership shares. The Dealership s written infrmatin security plan must: (1) Designate an emplyee r emplyees t crdinate the safeguards; (2) Identify and assess the risks t custmer infrmatin in each relevant area f the dealership s peratin, and evaluate the effectiveness f the current safeguards fr cntrlling these risks; (3) Design and implement a safeguards prgram, and regularly mnitr and test it; (4) Select apprpriate service prviders and cntract with them t implement safeguards; and (5) Evaluate and adjust the prgram in light f relevant circumstances, including changes in business arrangements r peratins, r the results f testing and mnitring f safeguards. When we filed cmments regarding the Safeguards Rule n behalf f NIADA, we requested that the FTC adpt flexible requirements, and the FTC did just that. The dealership s privacy plicies and infrmatin security standards must be develped taking int cnsideratin the dealership s size and cmplexity, the nature and scpe f its activities, the sensitivity f the infrmatin it cllects, and theses plicies and standards must be regularly mnitred. When implementing the Safeguards Rule, the dealership must cnsider all areas f its peratin, including three that are particularly imprtant t infrmatin security: Emplyee management and training; infrmatin systems, and managing system failures. In an effrt t help businesses understand and cmply with the FTC s Financial Infrmatin Safeguards Rule, the FTC issued a new Facts fr Business Publicatin titled Financial Institutins and Custmer Data: Cmplying with the Safeguards Rule.

3 While cmpliance with the FTC s Safeguards Rule is just arund the crner and, therefre, n the tp f everyne s agenda, dealers are well advised t cnsider ther Federal Privacy and Anti-Terrrism Laws that have recently been enacted r are under cnsideratin. Fr example, n Octber 26, 2001, the President signed int law the Uniting and Strengthening America by Prviding Apprpriate Tls Required t Intercept and Obstruct Terrrism Act f 2001 (USA Patrit Act). Title III f the USA Patrit Act makes a number f amendments t the anti-mney laundering prvisins f the Bank Secrecy Act (BSA) that are intended t prmte the preventin, detectin, and prsecutin f internatinal mney laundering and the financing f terrrism. Under the USA Patrit Act, the term financial institutin is defined t include a business engaged in vehicle sales, including autmbile, airplane, and bat sales. The Treasury Department has already issued a Final Rule implementing Sectin 314 f the USA Patrit Act, which establishes prcedures that encurage infrmatin sharing between gvernmental authrities and financial institutins, and amng financial institutins themselves. The first part f the Rule establishes a mechanism fr law enfrcement agencies t cmmunicate the names f suspected terrrists and mney launders t financial institutins in an effrt t lcate and secure accunts and transactins invlving thse suspects. Effective as f September 26, 2002, any mtr vehicle dealerships that receive the name f a suspect must designate ne persn at the dealership t be the cntact persn regarding the request and any future requests that it receives. They must als establish adequate prcedures t prtect the security and cnfidentiality f the requests received frm FinCEN and their respnses t these requests. The requirement t maintain adequate security and cnfidentiality prcedures t prtect the infrmatin is met if the dealership applies the same prcedures it has established t cmply with the Gramm-Leach-Bliley Act and the FTC s Safeguards Rule. The USA Patrit Act als requires every financial institutin t establish an anti-mney laundering prgram. Pursuant t Sectin 352 f the Act, the anti-mney laundering prgram must include, at a minimum: (1) The develpment f internal plicies, prcedures, and cntrls; (2) The designatin f a cmpliance fficer; (3) An nging emplyee-training prgram; and (4) An independent audit functin t test prgrams. Sectin 326 f the Act further requires the Treasury t prescribe Regulatins setting frth minimum standards fr financial institutins t identify custmers applying t pen accunts, including: (1) Adpting reasnable prcedures fr verifying the identity f any persn seeking t pen an accunt; (2) Maintaining recrds f the infrmatin used t verify the persn s identity, including the persn s name, address, and ther identifying infrmatin; and (3) Determining whether the persn appears n any lists f knwn r suspected terrrists r terrrist rganizatins prvided t the financial institutin by a Gvernment Agency. Althugh mtr vehicle dealers have been temprarily exempted frm the requirement t establish an anti-mney laundering cmpliance prgram, n February 24, 2003, FinCEN published an Advance Ntice f Prpsed Rulemaking t slicit public cmments as t hw these requirements shuld apply t mtr vehicle dealers. T eliminate the need fr NIADA Members t draft new r mdified privacy plicies and infrmatin security standards in the future, we have develped the enclsed materials t assist them in cmplying nt nly with the FTC s Safeguards Rule, but als with the USA Patrit Act and emerging implementing regulatins that will impact every dealership s plicies, practices and verall peratins. These materials are being prvided t yu fr distributin t NIADA Members free f charge. We are als prviding them t yu in electrnic frmat t make it easy fr dealers t custmize them fr their wn use. Enclsed yu will find the: FTC Guidelines titled Financial Institutins and Custmer Data: Cmplying with the Safeguards Rule, which summarize the purpse fr the Safeguards Rule and include suggested plicies and prcedures fr cmplying with the Rule. Prgram Crdinatr s Audit f Dealership Privacy Plicies and Infrmatin Security Standards Checklist Dealership Privacy Plicies and Infrmatin Security Standards Emplyee Agreement t Cmply with Privacy Plicies and Infrmatin Security Standards Statement f Privacy Plicies and Infrmatin Security Standards

4 Addendum t Service Prvider Agreements and Letter t Service Prviders Regarding Safeguarding Infrmatin Please keep in mind that these materials are designed t assist dealers t identify and implement apprpriate plicies and standards fr prtecting custmer infrmatin. They are intended as a guide fr mtr vehicle dealers t develp their privacy plicies and infrmatin security standards. While nt intended as a universal slutin that every dealership can adpt, since they are drafted frm a used mtr vehicle dealer s perspective, NIADA Members shuld find that they are easy t use and custmize fr their dealerships. It is imprtant that dealers be instructed t familiarize themselves will all f the infrmatin cntained in the dcuments prvided and include nly thse privacy plicies and infrmatin security standards that are feasible fr the dealership t implement and maintain. In additin, there may be state specific data prtectin r safeguards rules with which dealers must cmply and, therefre, they may wish t cnsult with their legal cunsel r ther prfessinal cnsultants t ensure that their privacy plicies and infrmatin security standards are apprpriate fr the dealership and in cmpliance with applicable federal and state laws, rules and regulatins. The infrmatin cntained in this dcument and the additinal materials prvided are fr general infrmatin purpses nly and shuld nt be cnsidered as legal advice.

5

6

7

8

9 PROGRAM COORDINATOR S AUDIT OF DEALERSHIP PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS CHECKLIST Emplyee Management and Training Are current emplyees, new hirees and independent cntractrs wh perfrm services n behalf f the Dealership subject t satisfactry reference and, where apprpriate, cnsumer/criminal reprt investigatins? Have yu develped prcesses that limit access t custmer infrmatin and ther cnfidential recrds t authrized emplyees? D yu have a written dcument utlining the plicies and prcedures fr handling cnfidential infrmatin? Have yu cnsidered having emplyees frmally acknwledge their understanding f infrmatin security plicies and practices? What steps has the Dealership taken t train emplyees n its privacy plicies and infrmatin security standards? Des the Dealership emply passwrd-prtectin sftware and encryptin prgrams as apprpriate and have emplyees been advised nt t pst passwrds near their cmputers r share passwrds with any ther persn? D yu have apprpriate disciplinary plicies? When an emplyee ceases t be emplyed by the Dealership, d yu delete utdated user names and passwrds frm electrnic databases and netwrks and btain all keys t the Dealership and file cabinets, desks, and ffices in the Dealership frm the emplyee? Have yu cntacted yur Dealer Assciatin, Legal Prfessinals r ther cnsultants t assist yu with cmpliance as necessary? Obtaining Custmer Infrmatin and Verifying Custmer Identities D yur frms request adequate custmer infrmatin t verify the identity f the Dealership s custmers? D emplyees request t see the custmer s driver s license r ther frm f gvernment-issued identificatin with a phtgraph t verify the custmer s identity? What plicies des the Dealership have in place t address situatins when custmer infrmatin is cnflicting r cannt be verified? D yu have prcedures fr ensuring that the Dealership des nt enter int transactins with individuals r entities that appear n the list f Specially Designated Natinals and Blcked Persns maintained by the Office f Freign Asset Cntrl (OFAC)? D yu have recrd retentin plicies fr files that cntain custmer infrmatin and identity verificatin? Infrmatin Systems Hw d yu secure recrds? Are recrds that cntain custmer infrmatin stred where they can be lcked when unattended? Are file cabinets, desk drawers and ffices lcked securely?

10 Are strage areas secure frm unauthrized access and prtected against physical hazards like fire r flds? What is the prcess fr cllecting and filing written recrds? Are yur electrnic recrds stred securely? D the passwrds yu assign cntain enugh characters and cnsist f bth letters and numbers? Is n-screen infrmatin prtected? D yu change passwrds peridically and require emplyees t keep them private? Hw d yu transmit and receive sensitive custmer infrmatin? What measures are taken when dispsing f custmer infrmatin? D yu shred dcuments cntaining custmer infrmatin and stre it in a secure area until an authrized dispsal/recycling service picks it up? Hw d yu ensure data is eliminated when dispsing f cmputers, disks, hard drives r any ther electrnic media that cntains custmer infrmatin? Is there a need fr a designated recrds retentin manager? Is it necessary t establish retentin perids fr written custmer files? Are emplyees prhibited frm taking custmer infrmatin ut f the Dealership? Hw d yu make sure yur anti-virus and firewall sftware is up-t-date? D yu have a system fr backing up infrmatin n cmputers and/r servers? Are emplyees instructed t lg ff f all Internet, and ther accunts when they are nt being used? Wh is respnsible fr dwnlading sftware r applicatins t the Dealership s cmputers? Have yu taken steps t prevent and prepare fr a systems failure? Selectin and Oversight f Service Prviders Have yu established criteria fr evaluating, selecting and auditing service prviders? Des the Dealership have cntractual agreements with all f its service prviders? Are service prviders required t agree t be respnsible fr securing and maintaining the cnfidentiality f custmer infrmatin? Is the Dealership advised when a security breach ccurs and des the Dealership have plicies f advising it s service prviders f security breaches?

11 Managing System Failures D yu have a system fr auditing and verseeing the Dealership s privacy plicies and infrmatin security standards? Des the Dealership take immediate crrective actin when a security breach ccurs?

12 DEALERSHIP PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS Our Prgram Crdinatr We have appinted as the Prgram Crdinatr f ur Dealership s Infrmatin Security Prgram. The Prgram Crdinatr will reprt directly t, the f the Dealership. In the event the Prgram Crdinatr ceases t be emplyed by the Dealership r is unable t perfrm his/her respnsibilities, shall take ver the respnsibilities f the Prgram Crdinatr until a new permanent Prgram Crdinatr is appinted. The Prgram Crdinatr s Respnsibilities It is the Prgram Crdinatr s respnsibility t design, implement and maintain privacy plicies and infrmatin safeguard standards as he/he determines t be necessary frm time t time. Specific respnsibilities that have been delegated t the Prgram Crdinatr include: Identifying and assessing the risks t custmer infrmatin in each relevant area f the Dealership s peratin, and evaluating the effectiveness f current safeguards that have been implemented t cntrl these risks. Designing and implementing privacy plicies and infrmatin security standards that are apprpriate fr the size and cmplexity f ur Dealership and its peratins, the nature and scpe f ur activities and the sensitivity f the custmer infrmatin we cllect, stre and share with thers. Regularly mnitring and testing the privacy plicies and infrmatin security standards. Assisting with the selectin f apprpriate service prviders that are capable f maintaining safeguards t prtect the relevant custmer infrmatin and reviewing service prvider cntracts t ensure that each cntracts cntain apprpriate bligatins with respect t the use f custmer infrmatin and the implementatin f safeguards. Evaluating and adjusting the Dealership s Privacy Plicies and Infrmatin Security Standards in light f relevant circumstances, including changes t the Dealership s peratins, business relatinships, technlgical develpments and/r ther matters that may impact the security r integrity f the Dealership s custmer infrmatin. Pursuant t the USA Patrit Act and the Rules adpted by the Financial Crimes Enfrcement Netwrk (FinCEN), a Bureau under the Department f Treasury, the Prgram Crdinatr will als be the cntact persn fr Law Enfrcement Agencies t cmmunicate the names f suspected terrrists and mney launders in an effrt t lcate and secure accunts and transactins invlving thse suspects. Upn receiving a request fr infrmatin frm FinCEN, the Prgram Crdinatr will: Prvide FinCEN with his/her name, title, and apprpriate cntact infrmatin, such as a mailing address, e- mail address, telephne number and facsimile number, and ntify FinCEN prmptly f any mdificatins with respect t cntact infrmatin. Ensure that current accunts maintained by the Dealership, any accunts maintained by the Dealership during the past 12 mnths, and any transactins cnducted during the past 6 mnths that the Dealership is required by law r regulatin t recrd r that the Dealership has recrded and maintained are searched fr the names prvided by FinCEN. If the Dealership has entered int a transactin with an individual r entity n the list, send a Reprt t FinCEN that cntains: (1) The name f the individual, entity r rganizatin; (2) The accunt numbers r,

13 in the case f transactins, the date and type f each transactin; and (3) The scial security number, taxpayer identificatin number, passprt number, date f birth, address, r ther persnal identifying infrmatin prvided by the individual r entity at the time f the transactin. Questins abut the scpe r terms f a request will be directed t the Law Enfrcement Agency that sent the request fr infrmatin t FinCEN, but the Reprt will be sent t FinCEN, nt the Law Enfrcement Agency that requested the search, unless the Prgram Crdinatr is instructed therwise. Emplyee Management and Training All current emplyees and new hirees, as well as independent cntractrs wh perfrm services n behalf f the Dealership, will: Be subject t satisfactry reference and cnsumer/criminal reprt investigatins, where apprpriate. Only have access t custmer infrmatin if they have a business reasn fr seeing it. Participate in the Dealership s privacy plicies and infrmatin security standards training prgram and attend educatinal and training seminars n a regular basis. Sign and acknwledge his/her agreement t ur Dealership s Statement f Privacy Plicies and Infrmatin Security Standards. Be respnsible fr prtecting the cnfidentiality and security f the custmer infrmatin ur Dealership cllects and fr using the infrmatin in accrdance with ur Privacy Plicies. Nt be permitted t pst passwrds near their cmputers r share passwrds with any ther persn. Refer telephne calls r ther requests fr custmer infrmatin t the Prgram Crdinatr r apprpriate manager when such requests are nt received within the rdinary curse f the Dealership s business r are fr infrmatin that the emplyee is nt authrized t prvide. Disclse t service prviders, marketers r any ther parties nly that custmer infrmatin which is necessary t cmplete a transactin initiated by the custmer and/r as permitted by law. If an emplyee is unsure as t whether a specific disclsure is permitted, he r she will be instructed t check with the Prgram Crdinatr r apprpriate manager t verify that it is acceptable t release the infrmatin befre ding s. Be required t ntify the Prgram Crdinatr r apprpriate manager immediately f any attempts by unauthrized persns t btain access t custmer infrmatin and/r if any passwrd r custmer infrmatin is subject t unauthrized access. Any emplyee that fails t abide by ur Statement f Privacy Plicies and Infrmatin Security Standards, whether such failure is intentinal r unintentinal, will be subject t apprpriate disciplinary actin, which may include terminatin f emplyment. When an emplyee ceases t be emplyed by the Dealership, he/she will be required t turn in any keys in his/her pssessin that prvide access t the Dealership and file cabinets, desks, and ffices in the Dealership; passwrds and security cdes, if applicable, will be deleted; and emplyees will nt be permitted t take any custmer infrmatin frm the Dealership.

14 Obtaining Custmer Infrmatin and Verifying Custmer Identities The fllwing prcedures will be implemented with respect t btaining custmer infrmatin and verifying custmer identities: Frms utilized by the Dealership request custmer infrmatin, such as names, addresses, telephne numbers, birth dates, scial security numbers, tax identificatin numbers, and driver s license and insurance infrmatin, t enable the Dealership t verify the identificatin f its custmers. In additin, custmers must sign dcumentatin, including swrn statements in sme cases, wherein the custmer represents and warrants that he/she is the persn identified in the dcumentatin. Emplyees will request t see the custmer s driver s license r ther frm f gvernment-issued identificatin bearing a phtgraph t verify the custmer s identity and will make a cpy f the same t retain in the custmer s file. If a custmer requests financing in cnnectin with a transactin, the custmer will be required t prvide emplyment infrmatin and references and must authrize the Dealership t btain a credit reprt, all f which may be utilized t verify the identity f the custmer. Emplyees may als request cpies f the custmer s utility bills, bank r credit card statements and paycheck stubs. In the event that custmer infrmatin prvided in dcumentatin is cnflicting r cannt be verified upn further inquiry, emplyees shall request additinal gvernment-issued dcumentatin evidencing the custmer s residence and bearing a phtgraph r ther safeguard (i.e. a scial security card, alien identificatin card, r passprt) t enable emplyees t frm a reasnable belief that they knw a custmer s true identity. When apprpriate, emplyees shall write a summary f the means and results f any measures taken t identify a custmer, including the reslutin f any discrepancy in the identifying infrmatin btained. Emplyees will be instructed t ntify the Prgram Crdinatr if custmer infrmatin still cannt be verified. The Dealership has access t updated versins f the alphabetical master list f Specially Designated Natinals and Blcked Persns maintained by the Office f Freign Asset Cntrl (OFAC), which will be checked t ensure that ptential custmers d nt appear n the same. Paper and electrnic recrds cntaining custmer infrmatin and relevant t the Dealership s identity verificatin prcess will be retained by the Dealership in accrdance with federal and state recrd retentin requirements. Upn the expiratin f the apprpriate retentin perid, any such recrds will be dispsed f in a secure manner in accrdance with the Dealership s infrmatin security standards. Infrmatin Systems The fllwing infrmatin security standards will be implemented in rder t prtect custmer infrmatin cllected and maintained by ur Dealership: Emplyees will have access nly t that custmer infrmatin which is necessary t cmplete their designated respnsibilities. Emplyees shall nt access r prvide any ther unauthrized persn access t custmer infrmatin that is btained during the curse f emplyment. Requests fr custmer infrmatin that are utside the scpe f the Dealership s rdinary business r the scpe f an emplyee s authrizatin must be directed t the Prgram Crdinatr r designated individuals. Access t electrnic custmer infrmatin will be passwrd cntrlled. Every emplyee with access t the Dealership s cmputer system and electrnic recrds will have a unique passwrd cnsisting f at least characters, including numbers and letters. Only emplyees that need t access electrnic recrds will be prvided with passwrds.

15 All paper and electrnic recrds will be stred in secure lcatins t which nly authrized emplyees will have access. Any paper recrds cntaining custmer infrmatin must be stred in a deal jacket r flder. Paper recrds must be stred in an ffice, desk, r file cabinet that is lcked when unattended. Electrnic recrds will be stred n a secure server that is lcated in a lcked rm and is accessible nly with a passwrd. Where apprpriate, recrds will be maintained in a fireprf file cabinet and/r at an ffsite lcatin. Custmers, vendrs and service prviders shall nt be left in an area with insecure custmer recrds. Backups f the cmputers and/r server will be made at least nce each day, r at mre frequent intervals as deemed necessary. At least nce each mnth the backup infrmatin will be verified. Backup disks will be stred in a lcked file cabinet. Virus prtectin sftware has been installed n the cmputers and new virus updates will be checked at regular intervals. All cmputer files will be scanned at least nce each mnth, r at mre frequent intervals as deemed necessary. Firewalls and security patches frm sftware vendrs will be dwnladed n a regular basis. All data will be erased frm cmputers, disks, hard drives r any ther electrnic media that cntain custmer infrmatin befre dispsing f them and, where apprpriate, hard drives will be remved and destryed. Any paper recrds will be shredded and stred in a secure area until an authrized dispsal/recycling service picks it up. Emplyees will be instructed t lg ff f all Internet, and ther accunts when they are nt being used. Emplyees will nt be permitted t dwnlad any sftware r applicatins t Dealership cmputers r pen attachments frm unknwn surces. Electrnic recrds may nt be dwnladed t a disk r individual cmputer withut explicit authrizatin frm the Prgram Crdinatr. Electrnic recrds will nt be stred nline and are nt accessible frm the Internet. If custmer infrmatin is transmitted electrnically ver external netwrks, emplyees will be instructed t encrypt the infrmatin at the time f transmittal. Neither current nr frmer emplyees will be permitted t remve any custmer infrmatin frm the Dealership, whether cntained in paper recrds r electrnic recrds, r t disclse ur infrmatin security standards t any persn withut authrizatin frm the Prgram Crdinatr. Selectin and Oversight f Service Prviders In rder t prtect the custmer infrmatin ur Dealership cllects, we will take steps t evaluate and versee ur service prviders. The fllwing evaluatin criteria will be utilized in selecting service prviders: Cmpatibility and willingness t cmply with the Dealership s privacy plicies and infrmatin security standards and the adequacy f the service prvider s wn privacy plicies and infrmatin security standards. Recrds t be maintained by the service prvider and whether the Dealership will have access t infrmatin maintained by the service prvider. The service prvider s knwledge f regulatins that are relevant t the services being prvided, including privacy and ther cnsumer prtectin regulatins.

16 Experience and ability t prvide the necessary services and supprting technlgy fr current and anticipated needs. Functinality f any service r system prpsed and plicies cncerning maintaining secure systems, intrusin detectin and reprting systems, custmer authenticatin, verificatin, and authrizatin, and ability t respnd t service disruptins. Service and supprt that will be prvided in terms f maintenance, security, and ther service levels. Financial stability f the service prvider and reputatin with industry grups, trade assciatins and ther dealerships. Cntractual bligatins and requirements, such as the term f the cntract; prices; sftware supprt and maintenance; training f emplyees; custmer service; rights t mdify existing services perfrmed under the cntract; warranty, cnfidentiality, indemnificatin, limitatin f liability and exit clauses; guidelines fr adding new r different services and fr cntract re-negtiatin; cmpliance with applicable regulatry requirements; recrds t be maintained by the service prvider; ntificatin f material changes t services, systems, cntrls and new service lcatins; insurance cverage t be maintained by the service prvider; and use f the Dealership s data, equipment, and system and applicatin sftware. The right f the Dealership t audit the service prvider s recrds, t btain dcumentatin regarding the reslutin f disclsed deficiencies, and t inspect the service prvider s facilities. Service Prviders will be required t agree cntractually t be respnsible fr securing and maintaining the cnfidentiality f custmer infrmatin, including agreement t refrain frm using r disclsing the Dealership s infrmatin, except as necessary t r cnsistent with prviding the cntracted services, t prtect against unauthrized use r disclsure f custmer and Dealership infrmatin, t cmply with applicable privacy regulatins, and t fully disclse breaches in security resulting in unauthrized access t infrmatin that may materially affect the Dealership r its custmers and t ntify the Dealership f the services prvider s crrective actin. Service prviders will be subject t nging assessment t evaluate their cnsistency with selectin criteria, perfrmance and financial cnditins, and cntract cmpliance. Managing System Failures The Prgram Crdinatr will implement audit and versight prcedures as he/she deems necessary t detect the imprper disclsure r theft f custmer infrmatin and t ensure that emplyees, independent cntractrs and service prviders are cmplying with ur Dealership s Privacy Plicies and Infrmatin Security Standards. If the Dealership s Privacy Plicies and Infrmatin Security Standards are breached, the Prgram Crdinatr will infrm, the f the Dealership. The Prgram Crdinatr and will take apprpriate steps t ntify cunsel, service prviders and custmers f any breach, damage r lss f infrmatin and the risks assciated with the same and will immediately take measures t limit the effect f the breach, identify the reasn fr the breach and implement prcedures t prevent further breaches. In the event f a breach, r at any ther time as the Prgram Crdinatr deems apprpriate, the Prgram Crdinatr may mdify r supplement ur Dealership s Privacy Plicies and Infrmatin Security Standards.

17 EMPLOYEE AGREEMENT TO COMPLY WITH PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS Effective July 1, 2001, the Financial Services Mdernizatin Act f 1999, mre cmmnly knw as the Gramm- Leach-Bliley Act, requires financial institutins that cllect nnpublic persnal infrmatin abut custmers wh btain a financial prduct r service t: (1) Implement privacy plicies and prcedures t prtect the infrmatin they cllect; and (2) Prvide their custmers with certain ntices, including an Initial Privacy Plicy Ntice and, if applicable, an Annual Ntice. In additin, as f May 23, 2003, any financial institutin that cllects persnal infrmatin frm their custmers must cmply with the Federal Trade Cmmissin s Safeguards Rule, which requires financial institutins t develp a written infrmatin security plan that describes their prgram t prtect custmer infrmatin. In certain circumstances, ur Dealership is deemed t be a financial institutin fr purpses f the Gramm-Leach-Bliley Act and the Federal Trade Cmmissin s Implementing Rules. As a cnditin f yur emplyment with ur Dealership, yu agree t: 1. Read the Statement f Privacy Plicies and Infrmatin Security Standards and familiarize yurself with the infrmatin cntained therein. 2. Fllw ur prcedures fr prviding a cpy f ur Privacy Plicy t each custmer. 3. Fllw ur prcedures fr safeguarding and prtecting custmer infrmatin in accrdance with ur Statement f Privacy Plicies and Infrmatin Security Standards. BY SIGNING BELOW, I ACKNOWLEDGE THAT I HAVE RECEIVED AND READ THE STATEMENT OF PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS AND AGREE TO COMPLY WITH THE PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS AS SET FORTH THEREIN AS A CONDITION OF MY EMPLOYMENT. I FURTHER UNDERSTAND THAT THE FAILURE TO FOLLOW THE DEALERSHIP S PRIVACY POLICIES AND INFROMATION SECURITY STANDARDS MAY RESULT IN DISCIPLINARY ACTION, INCLUDING THE TERMINATION OF MY EMPLOYMENT. EMPLOYEE WITNESS DATE DATE

18 STATEMENT OF PRIVACY POLICIES AND INFORMATION SECURITY STANDARDS Effective July 1, 2001, the Financial Services Mdernizatin Act f 1999, mre cmmnly knw as the Gramm- Leach-Bliley Act, requires financial institutins that cllect nnpublic persnal infrmatin abut custmers wh btain a financial prduct r service t: (1) Implement privacy plicies and prcedures t prtect the infrmatin they cllect; and (2) Prvide the custmers with certain ntices, including an Initial Privacy Plicy Ntice and, if applicable, an Annual Ntice. In additin, as f May 23, 2003, any financial institutin that cllects persnal infrmatin frm their custmers must cmply with the Federal Trade Cmmissin s Safeguards Rule, which requires financial institutins t develp a written infrmatin security plan that describes their prgram t prtect custmer infrmatin. In certain circumstances, ur Dealership is deemed t be a financial institutin fr purpses f the Gramm-Leach-Bliley Act and the Federal Trade Cmmissin s Implementing Rules. The purpse f this Statement is t advise yu f yur respnsibilities as an Emplyee f ur Cmpany. As a cnditin f yur emplyment with ur Dealership, yu agree t: 1. Read this Statement f Privacy Plicies and Infrmatin Security Standards and familiarize yurself with the infrmatin cntained herein. 2. Fllw ur prcedures fr prviding a cpy f ur Privacy Plicy t each custmer. 3. Fllw ur prcedures fr safeguarding and prtecting custmer infrmatin in accrdance with ur Infrmatin Security Standards. OUR PRIVACY POLICY Emplyee are respnsible fr prviding a cpy f ur Privacy Plicy t each custmer: 1. That enters int an agreement r understanding fr assistance t btain a lan r financing, regardless f whether r nt financing is ever btained, as fllws: a. In persn when the custmer cmpletes a Credit Applicatin; b. By mail within day(s) f receipt f the infrmatin t cmplete a Credit Applicatin via the telephne; 2. When infrmatin is cllected in rder t assist the custmer t btain payff infrmatin n a trade-in vehicle; and 3. That purchases ther prducts r services (i.e. service cntracts, guaranteed autmbile prtectin (GAP) agreements r insurance) prir t cmpletin f the sale r lease transactin. OUR INFORMATION SECURITY STANDARDS Our Prgram Crdinatr We have appinted as the Prgram Crdinatr f ur Dealership s Infrmatin Security Prgram. It is the Prgram Crdinatr s respnsibility t design, implement and maintain privacy plicies and infrmatin safeguard standards as he/he determines t be necessary frm time t time. The Prgram Crdinatr will reprt directly t, the f the Dealership. In the event the Prgram Crdinatr ceases t be emplyed by the Dealership r is unable t perfrm his/her respnsibilities, shall take ver the respnsibilities f the Prgram Crdinatr until a new permanent Prgram Crdinatr is appinted.

19 Based upn the Prgram Crdinatr s risk assessment f ur Dealership s peratins, including emplyee management and training and ur infrmatin systems (i.e. infrmatin cllectin, prcessing, strage, transmissin and dispsal, and ptential system failures), the fllwing privacy plicies and infrmatin security standards have been adpted fr all f ur emplyees and any independent cntractrs. Individual emplyees may be given additinal respnsibilities as well. Cmpliance with ur Dealership s privacy plicies and infrmatin security standards is a cnditin f yur emplyment with us. Emplyee Interviewing, Hiring and Training All current and new emplyees, as well as independent cntractrs wh perfrm services n behalf f the Dealership, will: 1. Be subject t satisfactry reference and cnsumer/criminal reprt investigatins. 2. Participate in the Dealership s privacy plicies and infrmatin security standards training prgram and attend educatinal and training seminars n a regular basis. 3. Sign and acknwledge his/her agreement t ur Dealership s Statement f Privacy Plicies and Infrmatin Security Standards. 4. Be respnsible fr prtecting the cnfidentiality and security f the custmer infrmatin ur Dealership cllects and fr using the infrmatin in accrdance with ur Privacy Plicies. Obtaining Custmer Infrmatin and Verifying Custmer Identities The fllwing prcedures have been implemented with respect t btaining custmer infrmatin and verifying custmer identities: 1. Frms utilized by the Dealership request custmer infrmatin, such as names, addresses, telephne numbers, birth dates, scial security numbers, tax identificatin numbers, and driver s license and insurance infrmatin, t enable the Dealership t verify the identificatin f its custmers. 2. Emplyees must request t see the custmer s driver s license r ther frm f gvernment-issued identificatin bearing a phtgraph t verify the custmer s identity and will make a cpy f the same t retain in the custmer s file. If a custmer requests financing in cnnectin with a transactin, the custmer must cmplete a credit applicatin, prvide emplyment infrmatin and references, and authrize the Dealership t btain a credit reprt. Emplyees may als request cpies f the custmer s utility bills, bank r credit card statements and paycheck stubs. 3. In the event that custmer infrmatin prvided in dcumentatin is cnflicting r cannt be verified upn further inquiry, emplyees shall request additinal gvernment-issued dcumentatin evidencing the custmer s residence and bearing a phtgraph r ther safeguard (i.e. a scial security card, alien identificatin card, r passprt) t enable emplyees t frm a reasnable belief that they knw a custmer s true identity. If custmer infrmatin still cannt be verified, emplyees shall ntify the Prgram Crdinatr fr further instructins. 4. The Dealership has access t updated versins f the alphabetical master list f Specially Designated Natinals and Blcked Persns maintained by the Office f Freign Asset Cntrl (OFAC), which shuld be checked t ensure that ptential custmers d nt appear n the same. Prtecting the Cnfidentiality and Security f Custmer Infrmatin

20 Each emplyee is respnsible fr prtecting the cnfidentiality and security f the custmer infrmatin ur Dealership cllects and fr using the infrmatin in accrdance with ur Privacy Plicy. The fllwing security prcedures must be fllwed in rder t prtect ur custmer infrmatin: 1. Emplyees shall have access nly t that custmer infrmatin which is necessary t cmplete their designated respnsibilities. Emplyees shall nt access r prvide any ther unauthrized persn access t custmer infrmatin that is btained during the curse f emplyment. Emplyees must refer requests fr custmer infrmatin t the Prgram Crdinatr r apprpriate manager when such requests are nt received within the rdinary curse f the Dealership s business r are fr infrmatin that the emplyee is nt authrized t prvide. 2. All paper and electrnic recrds must be stred in secure lcatins t which nly authrized emplyees have access. Any paper recrds cntaining custmer infrmatin must be stred in a deal jacket r flder. Paper recrds must be stred in an ffice, desk, r file cabinet that is lcked when unattended. Electrnic recrds will be stred n a secure server that is lcated in a lcked rm and is accessible nly with a passwrd. Where apprpriate, recrds will be maintained in a fireprf file cabinet and/r at an ffsite lcatin. Custmers, vendrs and service prviders shall nt be left in an area with insecure custmer recrds. 3. Access t electrnic custmer infrmatin will be passwrd cntrlled. Every emplyee with access t the Dealership s cmputer system and electrnic recrds will have a unique passwrd cnsisting f at least characters, including numbers and letters. Only emplyees that need t access electrnic recrds will be prvided with passwrds. Passwrds may nt be psted near cmputers r shared any ther persn. 4. Emplyees that have access t the cmputer system and electrnic recrds may nt dwnlad any sftware r applicatins t ur Dealership cmputers r pen attachments frm unknwn surces. Emplyees must lg ff f any Internet, r ther accunt when it is nt in use. 5. Electrnic recrds may nt be dwnladed t a disk r individual cmputer withut explicit authrizatin frm the Prgram Crdinatr. If custmer infrmatin is transmitted electrnically ver external netwrks, emplyees must encrypt the infrmatin at the time f transmittal. 6. All data must be erased frm cmputers, disks, hard drives r any ther electrnic media that cntain custmer infrmatin befre dispsing f them and, where apprpriate, hard drives will be remved and destryed. Any paper recrds must be shredded and stred in a designated secure area until an authrized dispsal/recycling service picks it up. 7. Emplyees may nt remve any custmer infrmatin, whether cntained n paper recrds r electrnic recrds frm the Dealership r disclse ur security standards t any persn wh is nt emplyed by us withut authrizatin frm the Prgram Crdinatr. 8. Only that infrmatin which is necessary t cmplete a transactin initiated by the custmer, is specifically authrized t be disclsed by the custmer and/r is permitted t be disclsed by law shall be prvided t service prviders, marketers r any ther parties. If yu are unsure as t whether a specific disclsure is permitted, it is yur respnsibility t check with the Prgram Crdinatr r yur manager t verify that it is acceptable t release the infrmatin befre ding s. 9. Neither current nr frmer emplyees will be permitted t remve any custmer infrmatin frm the Dealership, whether cntained in paper recrds r electrnic recrds, r t disclse ur infrmatin security standards t any persn withut authrizatin frm the Prgram Crdinatr. 10. The Prgram Crdinatr r apprpriate manager shuld be ntified immediately f any attempts by unauthrized persns t btain access t custmer infrmatin and/r if any passwrd r custmer infrmatin is subject t unauthrized access.

21 11. When an emplyee ceases t be emplyed by the Dealership, he/she must turn in any keys that prvide access t the Dealership and file cabinets, desks, and ffices in the Dealership; passwrds and security cdes, if applicable, will be deleted. Disciplinary Actin Any emplyee that fails t abide by ur Statement f Privacy Plicies and Security Standards, whether such failure is intentinal r unintentinal, will be subject t apprpriate disciplinary actin, which may include terminatin f emplyment.

22 ADDENDUM This Addendum mdifies the ( Agreement ) entered int between ( Dealer ), and ( Cmpany ). By executing this Addendum, Dealer and Cmpany acknwledge and agree that this Addendum is incrprated int and made a part f the Agreement, the terms and prvisins f which, except as expressly mdified in this Addendum, are hereby affirmed and ratified by Dealer and Cmpany and remain in full frce and effect. It is agreed between the parties t the Agreement and this Addendum that, ntwithstanding anything t the cntrary cntained in the Agreement r in any ther dcuments pertaining t the Agreement, Dealer and Cmpany shall cmply with all privacy and data prtectin laws, rules and regulatins applicable nw and in the future. Withut limiting the generality f the preceding sentence, Dealer and Cmpany agree that they will implement and maintain apprpriate safeguards t prtect custmer infrmatin and that they will nt use r disclse nnpublic custmer infrmatin that they receive pursuant t the terms f this Agreement t any ther party, except as is reasnably necessary t fulfill the purpses fr which such infrmatin was prvided and as therwise permitted by applicable law. Fr purpses f this Addendum, the terms nnpublic persnal infrmatin and financial institutin shall have the meanings set frth in Sectin 509 f the Gramm-Leach-Bliley Act (P.L ) (15 U.S.C. Sectin 6809) and implementing regulatins theref. The prvisins cntained in this Addendum shall survive the terminatin r expiratin f the Agreement, by the expiratin f time, by peratin f law, r therwise. IN WITNESS HEREOF, and intending t be bund by the terms and cnditins heref, each f the parties has caused this Addendum t be executed by its duly authrized representative as f the respective dates set frth belw. Dealer: By: Its: Date: Cmpany: By: Its: Date: