New 2011 Compliance Initiatives May Signal Auto Dealer Scrutiny

The summer of 2011 has brought a dramatic increase in compliance enforcement proceedings against banks and financial institutions.  Many of the issues apply to auto dealers as well and dealers will be likely candidates as the regulators continue to drill down.

The American Banker reported on August 1 that the Obama Administration Justice Department has been making an “aggressive push” on bringing enforcement proceedings involving credit discrimination and fair lending.  The American Banker reported that:

“In part as a reaction to the financial crisis, the Obama administration has targeted banks for alleged redlining and other fair lending violations to an extent not seen since the Clinton administration.

But critics charge the effort has gone too far, claiming Justice has misused legal interpretations to bring complaints to court, alleged redlining in areas outside a bank's market area and encouraged loans to unqualified borrowers as part of expensive settlements.”

The Justice Department has used the Equal Credit Opportunity Act (ECOA) as one of its lynchpins to bring enforcement actions against banks.  ECOA applies to auto dealers as well. The Department’s Civil Rights Division received 49 referrals last year which was more than in the prior 20 years combined.  In fact, the Justice Department established a special new unit within it’s the Civil Rights Division just to handle discrimination complaints.

The FTC has also been active in the area of data security practices, bringing enforcement proceedings against entities that do not maintain adequate data security of customer and employee non-public personal information (NPI).  Two new consent decrees recently came down each involving 20 years of direct FTC oversight and mandating specific security procedure upgrades and third party security audits during the term of the consent decrees.  Both cases followed data procedure hacks in which customer or employee personal information, including Social Security numbers, was wrongfully accessed. 

One issue cited by the FTC in both cases was that the companies had promised in their privacy notices comprehensive security to protect NPI but fell well short in their security practices.  Among the poor security practices cited by the FTC that it alleged constituted an unfair trade practice under Section 5 of the FTC Act were the following:

-       Not adequately assessing the vulnerability of their Web applications and network to commonly known or reasonably foreseeable attacks such as SQL injection attacks;

-       Storing NPI in clear, readable text indefinitely on their networks without a business need for indefinite storage;

-       Failing to require periodic changes of user credentials, such as every 90 days and failing to make passwords hard to guess;

-       Failing to employ sufficient measures to detect and prevent unauthorized access to its networks such as by employing an intrusion detection system and monitoring system logs to track use by authorized and unauthorized persons; and

-       Failing to provide adequate employee training.

The programs mandated by the FTC in the consent decrees included the implementation of risk assessment programs to identify material internal and external risks to the security, confidentiality, and integrity of personal data.  The FTC also required regular monitoring and testing of a new comprehensive information security program.  Each company is required to obtain an assessment and report from a qualified, objective, independent third-party professional security firm certifying that the security program is in place and operating with sufficient effectiveness to meet the FTC’s standards.  As is typical with FTC data breach consent decrees, these third party assessments must be obtained within 180 days and every two years thereafter for a period of 20 years.  Employee data as well as customer data is required to be protected under the data security plan.  The FTC also required the companies to designate an employee to coordinate and be personally accountable for the information security program.

In earlier cases, the FTC typically determined that a business’s failure to meet their own policies and promises concerning data security constituted an unfair business practice.  It may seem obvious, but do what you promise to do and don’t do what you promise not to do.  If your privacy notices says you don’t share consumer information, don’t share it, even with affiliates.  Almost every FTC privacy consent decree has involved companies that violated non-use and non-sharing provisions of their privacy notices.

More recently, the enforcement focus of the FTC has begun to look at security practices objectively to determine whether they were reasonable in relation to the risk.  This can be classic “Monday morning quarterbacking” when a data security breach occurs. The FTC consent decrees have brought into focus what the agency expects as a baseline security program.  For example, in one case, the FTC focused on the importance of intrusion detection systems and criticized the company for failing to monitor and filter outbound traffic to block the export of secure information.  Many companies voluntarily use data loss prevention software to detect and block the transmission of sensitive personal data from their systems, such as from employee email.  But in this one case, the FTC effectively took the position that Section 5 of the FTC Act essentially requires the monitoring of outbound traffic. 

Now would be a good time to review your Safeguards plan and consider training or retraining your staff.  Limit the persons who can access personal information in both electronic and paper form.  Implement a log system of who accesses deal jackets and other customer information—both electronically and in paper. This is a critical element of an information security program.  Review the logs regularly to assess spikes in access by authorized users as well as any unauthorized users.  Monitor and restrict access by service providers as well.  Disable the exporting of NPI through USB drives, email, and other media.

The FTC has indicated data security to be a top priority and stated again its position that inadequate data security practices constitute an unfair trade practice within the meaning of Section 5 of the FTC Act.  Enforcement proceedings under Section 5 for poor customer information security typically lead to these kinds of 20-year consent decrees.  A violation of the consent decree exposes the company to possible penalties of up to $16,000 per violation.  The defense and compliance costs over 20 years can be utterly staggering and don’t think plaintiffs’ lawyers don’t take note when the FTC has done its work for them.  Making an employee personally accountable for non-compliance personalizes the risk.

Finally, the new Consumer Financial Protection Bureau (CFPB) outlined principles to work together with the National Association of Attorneys General.  The CFPB will effectively partner with State Attorneys General to share information and conduct joint or coordinated investigations and enforcement actions involving alleged violations of CFPB regulations and the consumer protection provisions of the Dodd-Frank Act.  Banking regulators had previously conducted compliance exams in secret and not shared information with state regulators.  Especially now that the CFPB has set up a consumer complaint website with links to the FTC and State Attorneys General, it is reasonable to believe there will be more coordinated action among federal and state law enforcement authorities if multiple claims are made against auto dealers and other creditors.  State Attorneys General looking for funds for state-starved coffers have frequently considered auto dealers to be the “low hanging fruit” for enforcement claims especially on subjects like advertising and deceptive trade practices.   This trend too is likely to continue.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.