| INITIAL IMPLEMENTATION: 5/23/03 LAST UPDATED: 2/18/09 Lichtsinn Motors Privacy & Information Security Policy It is Lichtsinn Motors’ policy that customer/employee information may be used for Lichtsinn Motors related business purposes only. It is required that each employee take every precaution to protect this information. To aid in this, we have adopted the following Policy and Safeguard Standards Policy. Compliance with this Policy is a mandatory requirement for employment: Program Coordinator Lichtsinn Motors Information Security Program Coordinator is Heidi Thompson in the position of Dealership Controller/Office Manager. It is the Program Coordinator’s responsibility to maintain and update the privacy policy and information safeguard standards as needed, including meeting with dealership staff at least annually to review the current policy. The Program Coordinator will report directly to Ron Lichtsinn, the Dealer Operator of the dealership. In the event the Program Coordinator ceases to be employed by the Dealership or is unable to perform the responsibilities, Hope Lichtsinn shall take over the responsibilities of the Program Coordinator until a new permanent Program Coordinator is appointed. Privacy Policy Employees are responsible for providing a copy of our Privacy Policy to each customer in the following situations: 1. Any customer that enters into an agreement or understanding for assistance to obtain a loan or financing for a vehicle, regardless of whether or not financing is obtained. The method in which the policy is provided to the customer is as follows: a. In Person when the customer completes a Credit Application at the Dealership location. b. Sent by Mail within 7 days of receipt of information to complete a Credit Application via the telephone or on-line. 2. Any customer that provides information to the Dealership to assist them in obtaining payoff information on a trade-in vehicle. 3. Any customer that purchases other products or services (i.e. Service Contracts etc.) on a vehicle they already own. 4. Annually, the Privacy Policy is sent to all current charge customers and vendors. Employee Interviewing, Hiring, and Training All current and new employees will: 1. Be subject to satisfactory reference and consumer/criminal report investigations. 2. Sign and acknowledge his/her agreement to the Dealership’s Privacy & Information Security Policy. 3. Participate in the Dealership’s ongoing Privacy & Information Security Policy and Standards training as provided by the Program Coordinator. 4. Be responsible for protecting the confidentiality and security of the customer information the Dealership collects and for using the information in accordance with the Privacy & Information Security Policy. Obtaining Customer Information and Verifying Customer Identities The following procedures have been implemented with respect to obtaining customer information and verifying customer identities: 1. Forms utilized by the Dealership request customer information such as: name, address, telephone number, birth date, social security number, tax identification number and driver’s license and insurance information, to enable the Dealership to verify the identification of the customers. 2. Employees must request to see a customer’s driver’s license or other form of government issued identification bearing a photograph to verify the customer’s identity and will make a copy of this identification to retain in the customer’s file. If a customer requests financing in connection with a transaction, the customer must complete a credit application, provide employment information and references, and authorize the Dealership to obtain a credit report. As requested by loan companies, employees may also request copies of the customer’s utility bills, bank or credit card statements, paycheck stubs, and other financial and identity verifying records. 3. If the information that a customer provides is conflicting or cannot be verified, employees shall request additional government-issued documentation evidencing the customer’s residence and bearing a photograph or other safeguard. (i.e. social security card, alien identification card, or passport) to enable employees to form a reasonable belief that they know a customer’s true identity. If customer information still cannot be verified, employees shall notify the Program Coordinator for further instructions. 4. All loan companies in which the dealership uses run each customer’s name through the master list of Specially Designated Nationals and Blocked Persons to ensure their names do not appear on the list. The Dealership has access to the updated version of this list as well. Protecting the Confidentiality and Security of Customer & Employee Information Each employee is responsible for protecting the confidentiality and security of customer and employee information that the Dealership collects and for using the information in accordance with the Dealership Privacy & Information Security Policy. Employees shall have access only to that customer information which is necessary to complete their designated responsibilities. Employees not authorized shall not access or provide any other unauthorized person access to customer information that is obtained during the course of employment. The following security measures must be followed in order to protect both customer and employee information: 1. Access to customer information through ADP is restricted to authorized employees only. Each employee with ADP access will have a unique password corresponding with their level of security access. Passwords may not be posted near computers, in public area or shared with any other person. 2. All paper and electronic records must be stored in a secure location to which only authorized employees have access. Any paper records containing customer information must be stored in a deal jacket or folder. Jackets may not be left in the open when not in use for ANY period of time, they must be stored in a concealed area. All Deal Jackets and Folders must be stored in a locked area nightly. Electronic records are backed up nightly and secured in a fireproof safe with restricted access. 3. Access to printed customer information (jackets etc.) is restricted to Sales and Office Personnel ONLY. Any other employee who, for specified work purposes, needs this information must have one of the above listed personnel obtain it for them. 4. Employees that have access to the computer system and electronic records may not download any software or applications to Dealership computers or open e-mail attachments from unknown sources. Employees must log off any Internet, E-mail, ADP or other account when not in use. These records also may not be downloaded to a disk or individual computer without authorization from the Program Coordinator. 5. Virus protection must be installed on all computers with internet access. A secure server is used at the Dealership with firewall protection. 6. All data must be erased from computers, disks, hard drives or any other electronic media that contains customer information prior to their disposal. An inventory of all current computers is maintained in the office area. 7. Any paper records of customer/employee information is shredded before it is disposed of. 8. Neither current nor former employees may remove any customer information from the dealership, whether it be stored on paper or electronic records. Therefore, private customer information is not stored on PDA’s or any other transportable equipment. 9. Historical customer information is stored in a restricted access area. 10. Access to the cash register is restricted to Service, Parts and Management personnel unless authorized by Program coordinator. 11. A privacy notice form is completed by each customer when the credit application information is collected. At that time they are asked to sign a form to indicate if they may be contacted by a customer interested in their trade vehicle. Prior owner information is not provided without prior authorization. 12. Customer Rental Agreements must be stored in a restricted access location. 13. Lichtsinn Motors does not sell customer/employee names for profit or provide its customer lists to any other sources. 14. Credit Card Machines used at the Dealership use secure data transmission to relay information. Credit Card processing is restricted to those personnel who use it for legitimate business purposes only. 15. Credit Card receipt copies are kept in a secure location until they are filed with the R/O or invoice in a cabinet with restricted access until payment is received. The Merchant Copy of a credit card receipt that is already attached to an R/O is stored in a locked area at the end of the business day. It is always kept in a restricted access area. 16. Employment Applications must be stored in a designated locked location. 17. Employee/Payroll information is stored in a locked location. 18. Any person inquiring about customer/employee private information is screened to ensure the legitimacy of their request. If the request is coming from a 3rd party unrelated to direct dealership business transactions, no information will be provided without customer approval. 19. Upon the termination of employment of an employee, he/she must turn in any keys that provide access to the Dealership, including: entrances, file cabinets, desks, and offices in the Dealership. Passwords and security codes of this individual will be deleted if applicable. 20. The Program Coordinator or Ron Lichtsinn must be notified immediately of any attempts by unauthorized persons to obtain access to customer/employee information or of any potential security risks that are identified so that they may be addressed immediately. Lichtsinn Motors will notify any customer/employee promptly if their private information is subject to loss. Any employee that fails to adhere to any of the items in the Lichtsinn Motors Privacy & Information Security Policy, whether such failure is intentional or unintentional, will be subject to disciplinary action up to and including termination.
|
