HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

131

9. Develop a risk-based Red Flags Identity Theft Prevention Program (“ITPP”) and implement it

consistently for all consumer credit customers and business credit customers that present identity

theft risks.

Use your ITPP with every customer and document that you’re doing so. Choose red flags that

are appropriate to the size, location, and activities of your dealership. If you sell vehicles over the Internet or

to customers who never physically come to your dealership, take enhanced steps to verify those customers’

identities. Examine photo IDs, look at recent credit bureau activity, and use an electronic identity verification

service to compare customer information against databases of fraudulent activity and to assess the customer’s

given Social Security number. Identify any red flags in your ITPP that these actions reveal. If you cannot readily

resolve the red flags with the customer, use knowledge-based authentication “challenge” or “out-of-wallet”

questions as well. One best practice to address a questionable Social Security number is to ask the customer to

access their Social Security earnings statement on their smartphone or a dealership PC. This can be done at

www.

ssa.gov/myaccount

. Escalate problematic customers to your Program Manager and continue to seek additional

information or ask more out-of-wallet questions. Make sure your ITPP program has a process for documenting

your ITPP activities for each credit customer. Do ongoing training and periodic testing of your ITPP. Refine and

update your Program as new information about identity theft comes to your attention. Don’t forget about holding

an annual Program review for participating employees and making an annual report to your Board of Directors

and senior managers.

10. Educate your employees about the risks of identity theft and social networking attacks.

As email

spam filters have become more sophisticated, fraudsters have turned to other socially engineering methods that

prey on consumers’ trust. Tell employees not to click on any Internet link unless they are certain of the legitimacy

of the source. Emails purporting to be genuine from friends, law enforcement, or trusted institutions may contain

links that unload malware onto the employee’s PC and network if clicked on.

Additional Resources

FTC Business Security Guide:

www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

FTC Safeguards Rule:

www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule Department of the Treasury, information and links to the OFAC SDN List: www.treasury.gov/resource- center/sanctions/SDN-List/Pages/default.aspx OFAC – Assessing SDN List Matches for a Customer: www.treasury.gov/resource-center/faqs/Sanctions/ Pages/faq_compliance.aspx#match

Searchable OFAC List – a site that lets you enter a business name to see if it matches an entry on the

OFAC list:

www.instantofac.com FTC Consumer Information Disposal Rule: www.ftc.gov/tips-advice/business-center/guidance/disposing- consumer-report-information-rule-tells-how State Data Security Breach Notification Laws: www.ncsl.org/research/telecommunications-and- information-technology/security-breach-notification-laws.aspx Information Compromise and the Risk of Identity Theft: FTC Guidance for Your Business: www.ftc. gov/tips-advice/business-center/guidance/information-compromise-risk-identity-theft-guidance-your

Social Security Randomization:

www.ssa.gov/employer/randomization.html

Information provided Courtesy of Dealertrack Technologies 888.705.7926;

www.dealertrack.com