HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

125

practices” authority under Section 5 of the FTC Act as the hook. The federal Third Circuit affirmed the FTC’s power

to oversee cybersecurity. The court stated in a unanimous ruling that “deficient cybersecurity,” practices, which

“fail to protect consumer data against hackers,”may be found to be“unfair”practices under the Act, subject to FTC

enforcement. In addition to the inadequate data security practices (listed in FTC Safeguards Rule above), the FTC

has cited, among other things, keeping sensitive information longer than it is needed; using commonly known

default passwords; using P2P networks to transmit sensitive information; allowing wireless access to sensitive

information; and excessive file sharing as examples of security shortfalls. The FTC brought and settled numerous

enforcement actions against companies that did not have adequate data security programs in place. The FTC

considers inadequate data security practices to be an “unfair trade practice” for which it can seek enforcement,

oversight, redress for consumers, and civil penalties when credit report information is involved. Consent orders

entered into by the FTC have included 10-20 years of FTC oversight, biennial audit certifications by specialized

security firms, monetary penalties that can total up to $40,000 per violation of the order, and costly mandatory

systems and operational upgrades. A senior FTC official stated that auto dealers“should treat consumer information

as if it were cash.”

IDENTITY THEFT

OFAC

The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) mandates that no U.S. person (including

auto dealers) can do any business—cash or credit—with persons or entities included on OFAC’s list of Specially

Designated Nationals and Blocked Persons (“SDN List’). These are lists of persons or entities suspected of being

associated with or funding terrorist organizations and other criminal enterprises. The list is frequently updated

although a searchable version of the list is published on OFAC’s website,

www.treasury.gov/ofac/downloads/

sdnlist.txt

.

A credit bureau or electronic identity verification service can systematically check a customer against the current

SDN List. You must run all of your customers – both cash and credit – against the SDN List. You should also run

service and parts customers who make unusual orders (e.g., high quantities of materials that could be used in

making an explosive device) or who otherwise seem suspicious. If you get a preliminary match, OFAC lists a series

of steps to determine if you have a true match or a false positive. If you believe you have a true match after

following those steps, you must call OFAC at 800.540.6322 or 1-202-622-2490, and you cannot do business with

that person unless instructed otherwise. Penaltiescan include civil penalties of $1 million per violation, fines up

to $10 million, plus imprisonment for up to 30 years. Given the presence of terrorist groups such as ISIS targeting

terrorist attacks in the U.S., it is important to run OFAC checks on persons who rent vehicles from your dealership

or engage in other acts that could be an element of a terrorist act. You don’t want to be the dealer that sold parts,

vehicles, or other devices that helped facilitate a terrorist attack on our homeland.

FTC Red Flags Rule

The Red Flags Rule requires a dealership to perform a risk analysis to develop and implement a written Identity

Theft Prevention Program (“ITPP”) to detect, prevent, and mitigate identity theft. It is not a “one size fits all”rule.