Policy and Procedure Orientation

FACILITATOR’S GUIDE

Information Security Program

Policy and Procedure Orientation

Sales Staff & General Employees

NOTE: If salesperson complete credit applications or otherwise handle Nonpublic Personal Information (NPI), they must complete the training for Secure Document Area Workers.

A copy of the General Worker Job Description Affirmation Form will be required for each attendee.

Presentation Outline

Read the following text aloud to your general workers and sales staff.

The purpose of the meeting today is to discuss the Safeguards and the Disposal Rule as enacted by the Federal Trade Commission and the company policy known as the Information Security Program (ISP) that has been established in response to these regulations.

Because a customer’s financial information may influence how a deal is structured, whether the car can be spot delivered, or whether a sale can be made at all – and because the intent of the Safeguards Rule and the Disposal Rule is to protect the privacy of this information – it is important for you to understand and follow the new procedures.

At the close of this meeting, you will be given an excerpt from the employee handbook addressing the Safeguards Rule and the Disposal Rule. You will also be given a Job Description Affirmation Form and asked to sign it to verify that you have been briefed on these regulations and our company policy.

Identity theft is the fastest-growing crime in the United States, and based on the sales and funding activity in a dealership, we are vulnerable to this type of illegal behavior.

The Gramm-Leach-Bliley Act was passed to help control the misuse of personal information given when we make certain purchases, arrange for in-store financing and insurance, and when we deal with banks and other institutions to get a loan.

Iam certain you are all familiar with the first phase of the Gramm-Leach-Bliley Act through the privacy notices you have received from your banks, credit card companies, and creditors. These notices address the unrestricted sharing of personal information with other retailers.

The second phase of the Gramm-Leach-Bliley Act became effective on May 23, 2003. Known as the Safeguards Rule, it prescribes a set of security measures that must be used to protect the personal information given to us by customers and potential customers.

The Disposal Rule became effective on June 1, 2005, and requires proper disposal of Nonpublic Personal Information to prevent unauthorized use of the information and protect consumers from fraud or identity theft.

Nonpublic Personal Information (NPI) includes confidential personal information about individuals, such as bank balances, credit history reports, and account numbers. It also includes lists of such customer information generated over time. The information contained on a driver’s license and proof of insurance form is Nonpublic Personal Information.

The regulations require that policies and procedures be implemented to protect this information by restricting access to this information and ensuring its proper disposal.

Keep in mind that Nonpublic Personal Information can be in the form of contracts, credit applications, other papers, and information on computers.

We have modified our existing policies to comply with the Safeguards Ruleand the Disposal Rule, but we have done nothing to impede your ability to sell automobiles or do your job.

The first thing you will notice is that the business office, F&I office, and ______have been designated as Secure Document Areas.

This means that the F&I office is off limits, as is the business office and any other area marked with this Secure Document Area sign (show sign). Even if you are a Secure Document Area Worker, your authorization is limited to handling the documents you must process or retrieve from customers during the course of your assigned activities.

If you need something from the business office, you can either go to the customer service window or door, or call to request the necessary information. In some instances, you may be allowed to enter the office to pick up material and/or sign documents if accompanied by a person authorized to work in that Secure Document Area.

The F&I practitioner is still available to take T.O.s, and your customers will have access to the F&I office.

You can no longer retrieve and review a credit application, credit history report, bank callback notes, or related information.

However, if you or sales management need to gather Nonpublic Personal Information about the customer in order to structure a deal, the specific items required will be related as necessary by a Secure Document Area Worker.

You will still have all the tools you need to make a deal or do your job; only the method for securing the information has changed. If you think about it, the actual information you need isn’t in the particulars of the credit application; it’s the consequences of what’s in that report – a credit score, for example. This information can be provided to you verbally, giving you what you need to structure or restructure the deal.

Having the “Secure Document Area - Authorized Personnel Only” sign outside the F&I office has a positive benefit; customers may be more candid about their financial information if they believe they’re in a secure, private environment.

If you need a file, such as a deal jacket, that contains Nonpublic Personal Information, then the Secure Document Envelope containing this information will be removed and the file provided to you.

If you need access to Nonpublic Personal Information, a person authorized to handle this material will retrieve the file and relate to you the specific information you require. In some situations, the Secure Document Envelope may be signed out to you. In such cases, you must sign the envelope out and in.

In our store, the following people are responsible for implementing and monitoring the Information Security Program:

The Corporate Compliance Officer is ______

The Facility Compliance Officer is______

(If applicable) The Assistant Compliance Officer is ______

The Secure Document Area Compliance Officers are:

Business Office: ______

F&I Office: ______

Other: ______

With the exception of select managers and other staff, only the personnel in the business and F&I offices are authorized to work in those Secure Document Areas.

In addition to respecting the Secure Document Area policy, we ask that you be alert for Nonpublic Personal Information left unsecured. Documents containing this information cannot be left unattended; files cannot be left out on desks, and computers cannot be left unattended with Nonpublic Personal Information on the screen or the program left open allowing access to this information.

If you seethis type of informationleft unsecured, please contact the appropriate Compliance Officer, the business manager or a Secure Document Area Worker.

You are also being asked to report any attempted breaches of the dealership Information Security Program by fellow employees, customers, or outside parties. Any suspicious activity surrounding the securing of documents or files, attempts to gain access to a computer screen, or any solicitation by anyone to gain access to Nonpublic Personal Information should be reported to the appropriate Compliance Officer or to the business manager.

To be certain, the Safeguards Rule and the Disposal Rule will change how you do your job. But because we are all consumers who, at one time or another, share our Nonpublic Personal Information with another party, it is best if these controls are in place to protect all of us from thieves.

I will close with the recognition that old habits, even standard operating procedures, are hard to break. There are regulators, lawyers, and consumers who will be alert for breaches of the Safeguards Ruleand the Disposal Rule.

These people arenot going away, and neither are the requirements of the Safeguards Ruleand the Disposal Rule. The Information Security Program will be enforced. If you make a habit of following the new procedures, in a short time, the process will become an undetectable part of your sales routine.

I will now pass out the new employee handbook inserts along with the General Worker Job Description Affirmation Form for you to review and sign. You will be given a copy of this signed form. I will answer any questions you have. Thank you for your attention and cooperation.

Pass out and then collect the Job Description Affirmation Forms – ensure that they are all signed. (A signed copy of the form is to be given to each salesperson and general employee, a copy placed in his or her personnel file, and a copy placed in the NPI Compliance Binder.)