Opinion: 26 Motivators and the GLBA

More than 30 years ago, I made a list of what motivates people. Although I am unsure why, I was motivated to make the motivation list.

I have no recollection of where these pieces or parts may come from, but here they are:

1. Make money
2. Save money
3. Save time
4. Avoid effort
5. Become more comfortable
6. Achieve greater cleanliness
7. Attain fuller health
8. Escape physical pain
9. Gain praise
10. Be popular
11. Attract someone else
12. Conserve possessions
13. Increase enjoyment
14. Gratify curiosity
15. Protect family
16. Be in style
17. Have or hold beautiful possessions
18. Satisfy appetite
19. Emulate others
20. Avoid trouble
21. Avoid criticism
22. Be individual
23. Protect reputation
24. Take advantage of opportunities
25. Have safety in buying something
26. Make work easier

The list is not perfect, but it’s not bad, either.

Nothing happens at a dealership until something is sold. That is what pays the bills.

We can easily parlay this list into motivational leverage, with the goal of selling something. However, on the “other” side from selling, in governing the business, using some motivators can avoid problems, dodge pain, save money, protect your reputation and sidestep trouble.

When focusing on avoiding or eliminating problems, you are in the arena called governance, risk and compliance (GRC). Averting foreseeable issues, or “preventable risk,” will be this article’s core motivation.

Having a robust GRC program at a dealership will eliminate obvious and avoidable issues. Here is a summary of the eight steps involved in a dealership GRC program:

1. Identify risks and compliance obligations
2. Prioritize the work according to potential catastrophic problems and willful noncompliance penalties
3. Reduce exposure by building a proactive risk transference program
4. Create your internal risk and compliance policies and procedures
5. Evolve from reactive to proactive to limit your risks
6. Assign responsibilities and accountability
7. Track progress to protect the dealer, personally, and the dealership’s assets
8. Routinely review and audit people, processes, policies and technology to document and revise compliance and risk protocols

A robust GRC program will translate into action when a dealership has a keen focus on creating a compliance program.

Some dealers say they have a strong program, when, in fact, they do not. For example, do you have a designated compliance person at each store? Compliance duties need not be an employee’s sole job but, instead, a part of their other responsibilities.

Without a designated compliance person at each store, then you really have no program. No one is performing the work. Now is a great opportunity to start your GRC program, as the Federal Trade Commission (FTC) and the state Attorneys General have ramped up enforcement activity against dealerships.

In November 2021, the FTC passed new regulations with which dealers must comply as a part of the Gramm-Leach-Bliley Act (GLBA), which originally took effect in 2003.

The FTC issued two new 2022 compliance deadlines: Jan. 10 and Dec. 9. The Dec. 9 deadline later was pushed to June 9, 2023.

Here is a brief summary of what you need to know to be compliant with the GLBA update.

GLBA in General

The GLBA was created to protect customers’ personally identifiable information (PII). The act is a federal data security rule requiring dealers to secure and protect customer information. The original rule says dealers must ensure their affiliates and service providers safeguard customer data, as well.

Numerous data breaches led to the FTC’s 2021 update.

Jan. 10 Deadline

By Jan. 10, 2022, dealerships must have completed the following compliance steps.

Dealerships must have developed a written information security program (ISP) containing administrative, technical and physical safeguards “that are appropriate to your size and complexity…and the sensitivity of any customer information at issue.”

The dealership should “base (its) information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.”

Perform risk assessments: “You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure…or compromise of such information and reassess the sufficiency of any safeguards in place to control these risks.”

Test or monitor controls: “Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.”

Oversee service providers: Take reasonable steps to select and retain service providers who can maintain appropriate safeguards for the customer information at issue. Dealers are required to implement and maintain such safeguards.

Evaluate and adjust your ISP considering testing and monitoring, any material changes to your operation, your risk assessment’s result and any other circumstances that may have a material impact on your information security program.

June 9 Deadline

Unfortunately, you have more work to do.

• The PII definition has changed to include home address, email address and cell phone number.
• Your ISP should be written.
• Data containing PII must be encrypted both in transit and at rest.
• The dealership must have a written data retention policy and adhere to it.
• A qualified and designated individual must oversee, implement and enforce the ISP.
• Limit and monitor who has access to PII.

Dealers must oversee service providers (vendors) with written agreements to ensure compliance with protecting customer data. They must reverify their service providers’ security practices at least annually. Dealers are required to monitor and assess these vendors and audit and document the interactions.

Required change management procedures include having written procedures. If an employee is fired or quits, ensure your program can continue by following these procedures. Finally, dealers must control the life cycle through procedure standardization to manage risk and minimize disruption.

The risk assessment must be in writing and contain identified security risks, criteria of existing controls and a description of how the dealership will mitigate risks. Some risk is acceptable, but the risk assessment must have, in writing, why it is acceptable. The dealership must update the assessment as risks suggest, and dealers must periodically perform these assessments.

Information technology (IT) requirements include multi-factor authentication, continuous IT system monitoring or annual penetration testing and vulnerability assessments conducted at least every six months. Anti-virus software installation and use and endpoint protection must be in place to remotely monitor and update all computers.

Annual training for all employees must include documentation with signed employee acknowledgements. All employees must complete training, without exceptions.

Finally, a written incident response plan includes how the dealership will respond to a data breach, who has what responsibility and can make decisions and the communications to take place inside the store and to third parties.

Data encryption is the critical dealer concern here. All data containing PII must be encrypted both in transit and at rest. For example, when someone is scheduling a service appointment through your website, the data must be encrypted between the scheduler and your service advisors. As another example, the data sitting in your CRM must be encrypted at rest.

Dealers have a lot to work on here.

For instance, salespeople no longer can send PII to their manager through email if it is unencrypted. The GLBA impacts your relationship with most internet vendors.

Consider having your payables department develop a list of all vendors that have anything to do with email or the internet. Contact them one by one to see whether they are compliant with encrypting their data. SaaS software solutions are available to help track activity.

GLBA noncompliance fines are $46,517 per violation. The FTC can take an expansive view of what a “violation” is, depending on the circumstances, particularly regarding issues involving multiple customer records.

Data breaches are real and happen every day. Currently, one dealership in northern Virginia is immersed in a class-action lawsuit over a data breach. These lawsuits are wildly expensive.

Consider robust data security a beneficial business practice. Do you really want to call your third-generation customers to tell them their data is on the dark web because of a breach at your store?

While not part of GLBA, consider including cyber insurance as part of your GRC program. To be diligent about your cyber policy, read the exclusions. You might be surprised at what you find:

Does the policy have a sublimit for ransomware, or does it cover the full limits?

Do you have business interruption coverage after a breach?

Does the policy cap the number of individuals it will cover?

Does the policy cover regulatory penalties?

Does the policy cover “end-of-life” computers or software?

The overall philosophy with the GLBA, and the rest of your GRC program, should be to remediate and correct, document and report, and evaluate and revise.

If you manage the preventive risk with these issues, you can focus on the more positive side of the 26 items above, like increasing your enjoyment and making money. That is how you can stay on the black side of the ledger.

Tom Kline, a former franchise dealership owner with 30+ years, specializes in solving dealership problems through risk mitigation remedies, compliance and dispute resolution. Kline is the lead consultant and founder of Better Vantage Point and AlwaysDoBetter.com. He has worked with publicly held and private dealerships. Kline routinely speaks at national conferences, workshops, and 20 Groups, presents webinars about risk transferences and risk mitigation topics and techniques and provides expert witness testimony to defend dealerships.