‪(480) 285-8227 dave@dealercomply360.com

GLBA Policy

Purpose:
The purpose of this policy is to ensure that [Dealership Name] complies with the Gramm-Leach-Bliley Act (GLBA) by safeguarding consumer financial information, maintaining the privacy of sensitive data, and implementing effective security measures.

1. General Policy Statement

[Dealership Name] is committed to protecting the privacy and security of customer financial information in compliance with the Gramm-Leach-Bliley Act (GLBA). This includes adherence to the GLBA’s Safeguards Rule and Privacy Rule to protect consumer data from unauthorized access, misuse, and disclosure.

2. Scope

This policy applies to all dealership personnel who collect, store, or process non-public personal information (NPI) of customers, including information obtained during credit applications, financing processes, or other consumer interactions.

3. Responsibilities

  • Compliance Officer: Oversees GLBA compliance, develops safeguards, and provides training to employees.
  • IT Department: Ensures the security of electronic systems and data storage.
  • Finance and Sales Teams: Collect and handle consumer information responsibly and in compliance with GLBA requirements.

4. Policy Provisions

4.1 Protecting Non-Public Personal Information (NPI)

  • Definition of NPI: Non-public personal information includes any personally identifiable financial information provided by a customer, such as:
    • Name, address, and contact information.
    • Social Security numbers.
    • Credit or income details.
    • Account numbers or other financial details.
  • Employees must handle all NPI with care and use it only for authorized purposes.

4.2 Privacy Notices

  • Provide a Privacy Notice to customers at the beginning of the customer relationship and annually thereafter.
  • The Privacy Notice must include:
    • Categories of NPI collected.
    • Categories of NPI disclosed.
    • Details on how the dealership protects NPI.
    • Information about the customer’s right to opt-out of sharing their information with third parties (if applicable).
  • Ensure that customers can easily understand the Privacy Notice and how to exercise their rights.

4.3 Safeguards for Protecting Customer Information

  • Implement administrative, physical, and technical safeguards to protect NPI, including:
    • Administrative Safeguards: Employee training, restricting access to NPI based on job roles, and ensuring third-party service providers comply with GLBA.
    • Physical Safeguards: Secure filing systems, shredding of sensitive documents, and limiting access to physical locations where NPI is stored.
    • Technical Safeguards: Use of encryption, firewalls, secure passwords, and antivirus software for electronic data.

4.4 Information Security Program

  • Develop and maintain a written Information Security Program that includes:
    • Risk assessments to identify potential threats to customer information.
    • Measures to protect against unauthorized access or use of NPI.
    • Regular testing and monitoring of security measures.
    • Processes for responding to security breaches or data incidents.

4.5 Employee Training

  • Provide initial and periodic training to employees on their responsibilities under GLBA, including:
    • Proper collection, handling, and disposal of NPI.
    • Recognizing phishing attempts, fraud, or unauthorized data access.
    • Reporting suspected data breaches or security risks.

4.6 Third-Party Service Providers

  • Ensure that third-party service providers who handle customer information on behalf of the dealership comply with GLBA by:
    • Conducting due diligence before engaging service providers.
    • Requiring service providers to sign agreements to safeguard NPI.
    • Monitoring service provider performance periodically.

4.7 Data Retention and Disposal

  • Retain customer data only as long as necessary for business or legal purposes.
  • Properly dispose of NPI by shredding physical documents or securely deleting electronic records to prevent unauthorized access.

4.8 Incident Response

  • Establish a clear procedure for responding to data breaches, including:
    • Immediate containment and investigation of the breach.
    • Notification to affected customers and regulatory agencies, as required by law.
    • Implementation of corrective measures to prevent future incidents.

5. Monitoring and Auditing

  • Conduct regular internal audits to evaluate compliance with GLBA.
  • Document findings and corrective actions taken.
  • Review and update safeguards and privacy notices as needed.

6. Penalties for Non-Compliance

Non-compliance with GLBA can result in:

  • Civil and regulatory penalties.
  • Reputational harm to the dealership.
  • Disciplinary actions for employees, up to and including termination, for violating this policy.

7. Policy Updates

This policy will be reviewed and updated annually, or as changes to GLBA, industry practices, or dealership operations occur.

Acknowledgment
I acknowledge that I have read and understand the Gramm-Leach-Bliley Act Compliance Policy and agree to abide by its provisions.

Employee Signature: ___________________________
Date: ___________________________

Manager Signature: ___________________________
Date: ___________________________

This policy ensures compliance with the GLBA, protects customer information, and reinforces consumer trust in the dealership’s commitment to privacy and security.