‪(480) 285-8227 dave@dealercomply360.com

Non-Public Personal Information (NPI) Policy

Purpose:
The purpose of this policy is to ensure the proper handling, protection, and confidentiality of Non-Public Personal Information (NPI) in compliance with the Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, and other applicable regulations. This policy outlines procedures for safeguarding NPI collected and maintained by [Dealership Name].

1. Scope

This policy applies to all employees, contractors, vendors, and other authorized individuals who access or handle NPI at [Dealership Name]. It covers NPI in all forms, including physical and electronic records.

2. Definitions

  • Non-Public Personal Information (NPI): Any personally identifiable financial information that is:
    • Provided by a customer during a transaction or service.
    • Resulting from a transaction involving the customer.
    • Obtained in connection with providing a financial product or service.

Examples include, but are not limited to:

  • Names, addresses, and phone numbers.
  • Social Security Numbers (SSNs).
  • Financial account numbers.
  • Credit card information.
  • Loan or lease details.

3. Policy Statement

[Dealership Name] is committed to safeguarding the confidentiality, integrity, and security of NPI to protect customer privacy and ensure compliance with applicable laws. NPI will be collected, stored, used, and disposed of in a secure and lawful manner.

4. Procedures for Handling NPI

4.1 Collection of NPI

  • Collect NPI only as necessary to complete a transaction or provide a service.
  • Inform customers about how their information will be used through a clear and concise privacy notice.

4.2 Use of NPI

  • Use NPI solely for legitimate business purposes, such as:
    • Completing vehicle sales or financing transactions.
    • Communicating with customers about their accounts.
  • Prohibit unauthorized access or use of NPI for personal or non-business purposes.

4.3 Storage and Access

  • Physical Records:
    • Store NPI in locked, access-controlled cabinets or rooms.
  • Electronic Records:
    • Store NPI on encrypted and password-protected systems.
    • Restrict access to authorized employees based on job responsibilities.

4.4 Sharing and Disclosure

  • Share NPI only with authorized third parties as permitted by law, such as:
    • Credit reporting agencies for financing purposes.
    • Vendors or service providers under strict confidentiality agreements.
  • Obtain customer consent for any disclosures not required by law or business necessity.

4.5 Privacy Notice

  • Customers will receive a privacy notice that explains how their information is collected, used, shared, and protected, as well as their rights regarding their information. Privacy notice will include:
    • The types of NPI collected (e.g., Social Security numbers, financial account information, contact details).
    • How Information is Used: Explain how the dealership uses NPI (e.g., to process financing, complete transactions, verify identity).
    • Detail with whom the dealership shares NPI and for what purposes (e.g., credit bureaus, service providers, government agencies).
      Customer Rights: Notify customers of their right to opt out of certain types of information sharing, if applicable.
    • Protection Measures: Summarize the administrative, technical, and physical safeguards used to protect NPI.
    • Contact Information: Provide a way for customers to contact the dealership with questions or concerns about their privacy (e.g., phone number, email, mailing address).
  • Privacy notices must be delivered in a manner that ensures the customer can reasonably be expected to receive and understand them. This includes:
    • In Person: Provide a printed copy at the point of sale or when NPI is collected.
    • Electronically: Provide via email or website, with customer consent for electronic delivery.
    • By Mail: Send to the customer’s mailing address when applicable.

5. Security Measures

  • Administrative Safeguards:
    • Conduct regular training for employees on proper handling of NPI and data security best practices.
    • Assign access controls based on roles and responsibilities.
  • Technical Safeguards:
    • Implement firewalls, antivirus software, and encryption to protect electronic NPI.
    • Require multi-factor authentication (MFA) for systems containing sensitive information.
  • Physical Safeguards:
    • Use secure shredding or certified destruction services for paper records containing NPI.
    • Prohibit leaving NPI visible on desks or in shared spaces.

6. Incident Response

  • Reporting:
    • Employees must immediately report any suspected or actual data breach involving NPI to the Compliance Officer.
  • Response and Investigation:
    • Contain and mitigate the breach to prevent further exposure.
    • Notify affected customers and regulatory authorities as required by law.

7. Record Retention and Disposal

  • Retain NPI records for the legally required period (e.g., 3 years in Arizona, or 7 years for recommended retention).
  • Securely dispose of NPI after the retention period by:
    • Shredding physical records.
    • Using certified data wiping tools for electronic records.

8. Employee Responsibilities

  • Handle NPI with care and in accordance with this policy.
  • Report any security concerns or policy violations immediately.
  • Complete training on data security and NPI protection.

9. Prohibited Practices

Employees must not:

  • Share NPI with unauthorized individuals or entities.
  • Access NPI without a legitimate business need.
  • Leave physical or electronic records containing NPI unattended or unsecured.

10. Monitoring and Auditing

  • Conduct regular audits to ensure compliance with this policy.
  • Monitor systems for unauthorized access or suspicious activity.

11. Penalties for Non-Compliance

Failure to comply with this policy may result in:

  • Disciplinary action, up to and including termination.
  • Regulatory penalties or fines.
  • Damage to [Dealership Name]’s reputation.

12. Policy Updates

This policy will be reviewed and updated annually or as required by changes in laws, regulations, or dealership practices.

Acknowledgment
I acknowledge that I have read and understand the Non-Public Personal Information Policy and agree to comply with its provisions.

Employee Signature: ___________________________
Date: ___________________________

Manager Signature: ___________________________
Date: ___________________________

This policy ensures the proper handling and protection of NPI while maintaining compliance with applicable privacy regulations. Let me know if you need further details or related documentation!