We built you one. Focus your budget on cars that need additional attention. Learn how.
Continuing with our Consumer Privacy Awareness theme, I want to take a step back and go back to the basics. What do I mean when I talk about "compliance" when it comes to consumer privacy?
When you applied for your state license to sell cars, many aspects of consumer protection were explained in the requirements for doing business. You and your legal team have reviewed the appropriate statutes and structured your store to follow the letter of the law and safeguard your customers’ personal information.
When looking at consumer privacy considerations for your dealership, there are two primary categories to take into account: how the information will be handled offline, and how it will be protected online.
In this post, we'll take a closer look at offline best practices.
[Note: this content is not intended to replace legal counsel from your compliance attorney - rather to get you to revisit how you're operating. If you have serious questions, contact the guys who get paid to keep up with this stuff.]
The overriding structure for all of these best practices is your store’s policy for handling sensitive customer data, and the requirements you put in place to ensure that the rules are being followed.
Here are the building blocks for putting together an effective system to manage consumer data properly and protect your dealership:
1) Define sensitive information - Government regulations provide guidelines on this topic, and you need to give your employees explicit instructions on how it applies to your store. For example: what besides the social security number (SSN) – which should be a given -- do you guard with your life? Does the definition include last names or mailing addresses?
2) Secure all personal consumer information- Here’s the best advice: treat the customer’s information as if it was your own. Would you like your SSN lying around on a desk or open on a computer screen? Make it easy for your team to lock it down -- set computers to automatically lock their desktops after a set period of inactivity, and provide locked areas for hard copy storage.
3) Design an audit process - Whatever system you use to protect your consumer data, make sure that it is checked regularly for leaks and loopholes. If one of your employees is using the information improperly or being negligent, you need to know before it develops into a legal problem.
4) Screen potential employees - Make sure that you do a thorough reference and background check for anyone that you hire to work your finance process. You are putting them in a key position in your dealership, and they can represent a significant vulnerability if they don’t repay your trust.
Be selective about how you receive and handle consumer information. If you are working with financing applications online and submitting to lenders electronically, there’s almost no reason for you to print out an application with sensitive data on it. If you absolutely have to have a hard copy, be sure to use a permanent marker to obscure the SSN and do not leave these documents out on your desk.
The same with faxes - always black out the SSN completely and turn off fax machines after hours to prevent an accidental data leak. Fax machines and email are two of the most vulnerable methods of delivery, which means you need to avoid them when you can.
If faxes and email are a necessary part of your day-to-day operations, always think “safety first” and conceal the SSN. If you need to send the application to your lender via fax, be sure to do it only during business hours when they are expecting it -- and confirm receipt.
This is a critical facet of data handling - important enough to merit its own highlight.
Keep in mind that consumer data is not only security-sensitive but time-sensitive. If they have provided it to you, they are expecting you to use it and dispose of it quickly. It is intended for use in processing their loan application and completing their purchase. Period.
The best method of disposal for hard copy records is shredding. Whether through a business-grade shredder in your store office or a secure shredding service, you must destroy the physical copies of these records in order to keep the consumer’s personal information secure.
If for some reason you are legally required to hold on to hard copies of your purchase agreements beyond the initial purchase period, it is your responsibility to ensure that they are held in a secure location. They should be under lock and key whether they are stored on site or offsite. If you choose to store this information offsite, there are trusted and reputable vendors that can mitigate your risk of a leak.
The number one issue we see car dealers running into is consumer consent - you can see my recent post about it here. It is far too easy to simply do a hard credit pull against an application, regardless of whether the consumer is aware that you are running a credit check. You have an ethical responsibility to inform customers when impacting their credit history. Audit your business operations and enforce this practice with your staff.
By getting consumer consent - ideally when they’re already sitting down with you - you protect yourself on two fronts: on the consumer side and on the credit bureau side. Remember, these credit inquiries are traceable back to your business -- we’ve seen consumers track down and sue dealerships who they felt used their information fraudulently. Make sure that your store’s policies around handling credit checks are consumer-friendly.
From the credit bureau perspective, you’re not only running up your own bureau fees unnecessarily, you’re also generating trigger leads. If you didn’t already know, once you’ve pulled credit on a given consumer, the credit bureau then has the legal right to resell that information to subscribers who have signed up to purchase that information as it becomes available. Your store may even be one of the data customers buying this information.
All of which means that unless this particular consumer is already in your store, you’ve probably just sent them off as a potential prospect to other dealerships in your backyard. You’ve just given your competition a chance to work the lead before you’ve even started your sales process.
If that's not a good reason to stop doing it, I don't know know what is.
Hopefully I've given you some food for thought when it comes to managing your customer's personal information offline. Tune in next week when I pull together best practices for handling it online.
In the meantime, take a look around your store and ask yourself: do I have any gaps in my finance process that might compromise my customers?