1. Safeguard Rule-Resources, Risks,Compliance, and Consequences

2. Theviews expressed in this presentationare those of the speaker and notnecessarily those of the Commission orany individual Commissioner. For more detailed information, visit theFTCs homepage at www.ftc.gov. 3. Implements the security provisions of theGramm-Leach-Bliley Act of 1999. Took effect May 23, 2003, with an extrayear to conform third-party serviceprovider contracts entered into prior toJune 24, 2002. Has flexible standard, but imposescertain basic requirements. See 67 Fed.Reg. 36484. 4. Each financial institution must develop,implement and maintain a comprehensiveinformation security program that is written inreadily accessible part(s); The program must contain administrative,technical and physical safeguards that areappropriate to: the size and complexity of the financial institution; the nature and scope of its activities; and the sensitivity its customer information. 5. Designate one or more employees tocoordinate its program; Assess risks to the security of customerinformation; Design and implement safeguards to addressrisks, and test and monitor their effectivenessover time; Oversee service providers; and Adjust the program to address developments.* Fines of up to $3500 for failure to draft an IT Security Plan. This is on top of any fines for the violations themselves 6. To assess risks and design safeguards, a financial institution must consider all relevant areas of its operation, including:1.Employee training and management;2.Information systems, including network andsoftware design, as well as informationprocessing, storage, transmission anddisposal;3.Detecting, preventing and responding toattacks, intrusions, or other systems failures. 7. Take reasonable steps to select and retainservice providers that are capable ofmaintaining appropriate safeguards for thecustomer information at issue; and Require service providers by contract toimplement and maintain such safeguards.*Service providers are companies that handle or have access to customer information in the course of providing services directly to a financial institution. 8. Appliesto financial institutions under theFTCs jurisdiction; Includes financial institutions that receivecustomer information from anotherfinancial institution. This includes anyone who helps toarrange credit (including RV Dealers,The Finance Department, and thepersons filling out/handling Credit Apps) 9. Anyinstitution the business of which isengaging in financial activities asdescribed in section 4(k) of the BankHolding Company Act of 1956. Aninstitution that is significantly engaged infinancial activities is a financialinstitution. This last piece is what includes us 10. Lending, exchanging, transferring, investing forothers, or safeguarding money or securities.[4(k)(4)(A)] An activity that the Federal Reserve Board hasdetermined to be closely related to banking.[4(k)(4)(F); 12 C.F.R. 225.28] Extending credit and servicing loans Collection agency services Anactivity that a bank holding company may engage in outside the U.S. [4(k)(4)(G); 12 C.F.R. 211.5]. 11. Mortgage broker Check casher Pay-day lender Credit counseling service Retailer that issues its own credit card Auto/RV dealers that lease and/orfinance 12. Customer information, which means:1. Nonpublic personal information concerning its own customers; and2. Nonpublic personal information that it receives from a financial institution about the customers of another financial institution;3. This would include credit applications, copies of drivers license, social security number, Tax ID #, proof of income, and anything else that is not normally available to the public. NOTE: Customer information includes informationhandled by affiliates. 13. Ifa financial institution shares customerinformation with its affiliates, it must ensure thatthe affiliates have adequate safeguards inplace. Affiliate means any company that controls, iscontrolled by, or is under common control withanother company. See Privacy Rule, section 313.3(a). 14. Both Rules implement section 501 of the GLBA. The Safeguards Rule uses Privacy Rule definitions, but defines new terms customer information and service provider. The Privacy Rule focuses on Privacy Notices, Opt Out rights and limits on use and disclosure; the Safeguards Rule focuses on security. 15. Top ThreeReasons Dealerships are NOT in compliance1. Wont happen to me2. We do that3. Weve already done enough 16. Wecant afford to risk anything when thefines are $11,000 per occurrence per day.This does not mean per visit, but perpiece of information. For example 15 deal jackets with creditinformation left on a desk would be:15 fines X $11,000 per fine = $165,000 Enforced by the FTC 17. Theyusually conduct inspections around the opening, closing and lunch hrs of businesses. Why do you think this is? Whywould they want to inspect a company like Camping World? 18. ChoicePoint, Inc. January 30, 2006 (complaint) FCRA violation (Fair Credit Reporting Act) Unfair or deceptive acts or practices Civil penalty $10 million Consumer redress $5 million 19. Top Three Risk Areas1. Lack of documentation2. Uncontrolled computer access3. Lack of training 20. Documentation ISP (Information Security Plan) in writing Administrative, technical, and physical safeguards Service provider addendums Monitoring efforts Training efforts 21. Training and Management Reporting violations Sharing logins Passwords on monitor Clean desk rule New employee orientation Management seriousness 22. DMS Specific separate logins Rights and profiles Automatic log-off Passwords Remote access CRM 23. Network/PC Specific logins Passwords Network access Monitoring Controlled external storage Windows lock/automatic logoff 24. Internet Restricted access Filtering and monitoring E commerce Web-based e-mail accounts Written Internet Usage Policy 25. E-mail Controlled account Retention (sent and deleted) Passwords Monitoring Backup 26. 1. Store documents and electronic back ups in a secure/locked room in locked file cabinets2. Limit access and keys to those who need it.3. Put working deals back when you are done with them.4. Log off or lock your computer if you leave your desk.5. Finance and Salesmanagers lock working deals in a file cabinet you leave your desk (even for a brief Hello or Turn Over)6. Have a proper storage/disposal process for dead deals. DO NOT throw them in the garbage!7. Report any suspicious person or activity to a supervisor 27. Eleven Quick Checks1. Dumpster diving2. Repair orders/history in service3. Ask newest salesperson whos the ISP Coordinator4. Check around terminals for login info5. Check for unprotected terminals6. Ask ISP Coordinator for current service providers7. Check for access to web-based e-mail accounts8. Check for the current list of DMS access9. Ask the accounting office to unlock a computer10. Ask 5 people when they last changed theirpassword11. Look on Salespeoples desks and in unlockeddrawers for customer/consumer protected info.