Edward Snowden, the “Heartbleed” computer bug and Sony computer hacks are major news stories that have caused everyone to become sensitive to privacy issues. More than ever, privacy breaches raise major reputational and legal liabilities for all companies.
Automobile dealers’ privacy policies and practices are under greater scrutiny. In the U.S., dealerships are increasingly viewed as akin to banks by government regulators1 . Failing to have in place appropriate privacy policies can give rise to investigations, fines, breaches of dealership agreements, and civil and class action liability. Media reports and the long-term impact these reports have on a company’s public image can be even more damaging than the immediate consequences.
Even if a data breach has not yet occurred, this should not create a false sense of security. Data breaches can occur in the most sophisticated organization (and have occurred in well-known companies like Google and JP Morgan Chase). A number of hospitals in Ontario are facing multi-million dollar class actions alleging breaches of privacy rights for allowing persons who were not authorized to review sensitive personal information.
Data breaches can occur in many different ways: intentionally, unknowingly, carelessly, or through theft. Prudent companies should plan for when a data breach happens, as opposed to wondering if one will occur.
Auto dealers handle many different kinds of personal information that is subject to privacy protection laws: drivers’ licences, social insurance numbers, bank account and credit card information, for example. Yet a crucial part of any automobile dealership also involves the responsible sharing of personal information with others. What should auto dealers be concerned about?
- How is customer information being used? What have they consented to? What have they not consented to?
- Detailed rules exist about credit checks. Unauthorized credit checks can lead to fines and liability under the Consumer Reporting Act and privacy legislation.
- How long is personal information kept? Personal information may be retained only as long as necessary for the fulfillment of the purpose for which it was given. Does the dealership have in place guidelines for the destruction of personal information?
- Are customer telephone calls taped? Is the information stored? Who has access to it? How long is the information kept? What use can be made of the information?
- What controls exist on accessing personal information of customers? Who is allowed to review the information? Do they need to have access? What do they need to access? Is their review authorized?
- Does the dealership have policies or rules in place for downloading information to laptop computers, external hard drives or USB keys that could be lost or stolen? Stolen laptops with sensitive customer information may be a more significant concern than sophisticated online hackers.
- How is personal information shared with the factory and third party vendors? Can the dealership review data sent to third parties?
- Do audit controls exist? Are systems audited to ensure only appropriate access? How long are logs kept? Ontario’s Privacy Commissioner recently faulted a hospital for not having appropriate auditing capabilities in place, which led to unauthorized employees accessing information without the hospital realizing2 .
In B.C., the CBC reported that it was investigating auto dealers who scanned and stored licences of persons taking test drives. These licences were later used by dealerships for marketing purposes, even though no customer consent was apparently obtained3 . Basic scanner technology used by a dealer led to a nation-wide television segment, complete with criticism of the dealership by the B.C. Civil Liberties Association.
Privacy issues are at the forefront of customer and government concerns. A crucial part of any dealer’s regulatory compliance involves reviewing privacy policies and consents with counsel to ensure these are updated to accurately reflect actual use and practices. Auto dealers must also plan for how they will deal with privacy breaches once they occur: containing the breach; evaluating risks; determining whether notification is required; and preventing further breaches4 . All companies are at risk. Those that plan in advance to protect privacy will successfully limit risks, liabilities and retain customer trust.