Updated: Nov 12, 2024
By the time you read this article the 2019 – 2020 flu season will be in full swing, with its attendant symptoms: fever (or chills), cough, sore throat, runny nose, body aches, headaches, and fatigue. And according to the Center for Disease Control (CDC), this year’s flu season could be a doozie.
Updated: Nov 13, 2024
Our solution allows you to retain and track all relevant documentation and information needed to prove service providers’ compliance with the rule and allows you to quickly compile this information into the required annual report needed to comply with the rule.
A Service Provider is any person or entity that receives, uses, processes, stores, or has access to your customers’ information through their providing services to your dealership. Service Providers include:
banks
credit unions
F&I providers
F&I administrators
F&I agents
third party IT support
Even your janitorial service could be considered a Service Provider, but whether or not your service providers must comply with the Safeguards Rule depends on whether they have access to customer data.
One way to create a list of your dealership’s service providers is to review your dealership’s accounts payable list. If you use a service provider, you generally have to pay them.
Look down the list and ask yourself, does this company have access to customer NPI in the course of its duties on behalf of the dealership? If the answer is yes, it is a service provider.
Not all service providers are obvious. For example, does your after-hours cleaning service have access to unlocked file cabinets containing customer NPI? How about your offsite storage vendor? Or your third-party IT consultant or forms programmer?
Once you have identified your dealership’s service providers, the Rule requires that they be “overseen.” What does that mean? The Rule states two specific requirements.
First, a dealership must take reasonable steps to select and retain service providers who are capable of protecting customer NPI.
The second specific requirement is to require by contract that the service provider protect your customers’ NPI.
To reasonably oversee your dealership’s service providers, you should review each lender agreement to determine if it contains a promise to implement and maintain safeguards. You should do the same with your dealership’s contracts with F&I product providers and other service providers.
Once you’ve confirmed each contract contains a promise to implement and maintain safeguards, make a copy of each lender agreement and put it with your Safeguards Program records.
Mosaic provides a software solution for managing service provider compliance with the Safeguards Rule. This solution allows you to retain and track all relevant documentation and information needed to prove service providers’ compliance with the rule and allows you to quickly compile this information into the required annual report needed to comply with the rule.
Service provider management is an important part of the Revised FTC Safeguards Rule, but it can feel daunting to approach. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a Safeguards Consultation today or get started now by filling out our Network Status Questionnaire.
Updated: Oct 31, 2024
Originally published in Auto Dealer Today Magazine on March 16, 2022.
"In the beginning was the Gramm-Leach-Bliley Act, at least when it comes to dealership awareness of consumer data security issues. And the Gramm-Leach Bliley Act begat the Safeguards Rule, which has been the law of the land since 2003..."
