‪(480) 285-8227 dave@dealercomply360.com

Policy for Disposal of Sensitive Customer Credit Information

Purpose:
The purpose of this policy is to establish procedures for the secure disposal of sensitive customer credit information at [Dealership Name]. This ensures compliance with the Fair Credit Reporting Act (FCRA), the FTC Safeguards Rule, and other applicable regulations, while protecting customer privacy and preventing unauthorized access to sensitive data.

1. Scope

This policy applies to all employees, contractors, and third-party service providers of [Dealership Name] who handle or have access to sensitive customer credit information, including:

  • Credit reports.
  • Loan applications.
  • Personal identification details (e.g., Social Security numbers, financial account details).

2. Policy Statement

[Dealership Name] is committed to safeguarding sensitive customer credit information throughout its lifecycle, including proper disposal to ensure it cannot be reconstructed, retrieved, or used by unauthorized individuals.

3. Definitions

  • Sensitive Customer Credit Information: Non-public personal information (NPI) provided by customers or obtained through credit reporting, including but not limited to Social Security numbers, credit scores, account numbers, and loan details.
  • Secure Disposal: The destruction of physical and electronic information in a manner that renders it unreadable and irretrievable.

4. Procedures for Disposal

4.1 Physical Documents

  1. Shredding:

    • Use cross-cut shredders to destroy paper documents containing sensitive information.
    • Shredded materials should be securely bagged and disposed of in accordance with dealership waste management protocols.

  2. Third-Party Disposal Services:

    • If using a third-party shredding service, ensure the vendor is certified for secure document destruction (e.g., NAID AAA Certified).
    • Maintain a destruction log or certificate of destruction from the vendor.

  3. On-Site Storage Prior to Disposal:

    • Store documents awaiting destruction in locked, access-controlled containers or shredding bins.

4.2 Electronic Records

  1. Data Deletion:

    • Permanently delete electronic files containing sensitive information using software designed for secure data wiping.
    • Ensure all backups containing sensitive information are deleted or overwritten.

  2. Hardware Disposal:

    • For hard drives, USB drives, or other storage devices:
      • Use degaussing (magnetic erasure) or physical destruction to render devices unreadable.
      • Work with certified e-waste disposal vendors to ensure proper destruction.

  3. Cloud-Based Data:

    • Confirm that cloud storage providers have securely deleted sensitive data as per the service agreement.
    • Request and retain proof of deletion from the provider when applicable.

5. Employee Responsibilities

  • Employees are required to:
    • Identify documents and records containing sensitive customer credit information.
    • Follow secure disposal procedures for physical and electronic records.
    • Report any suspected mishandling of sensitive information to their supervisor or the Compliance Officer.

6. Monitoring and Auditing

  • Destruction Logs:

    • Maintain records of all disposal activities, including the date, method, and person responsible for destruction.
    • Retain certificates of destruction provided by third-party vendors.

  • Periodic Audits:

    • Conduct regular audits to ensure compliance with this policy.
    • Identify and address any gaps in disposal practices.

7. Training

  • Provide training to all employees on proper disposal procedures, including:
    • Recognizing sensitive customer credit information.
    • Understanding secure disposal methods.
    • Complying with legal and regulatory requirements for data protection.

8. Prohibited Practices

Employees must not:

  • Dispose of sensitive information in unsecured trash bins or recycling containers.
  • Allow unauthorized individuals to access or handle sensitive records awaiting destruction.
  • Use personal devices or unapproved methods to dispose of dealership records.

9. Penalties for Non-Compliance

Failure to comply with this policy may result in:

  • Disciplinary action, up to and including termination of employment.
  • Fines or legal penalties under applicable regulations.
  • Reputational damage to [Dealership Name].

10. Policy Updates

This policy will be reviewed and updated annually or as changes to dealership operations, technology, or regulatory requirements occur.

Acknowledgment
I acknowledge that I have read and understand the Policy for Disposal of Sensitive Customer Credit Information and agree to comply with its provisions.

Employee Signature: ___________________________
Date: ___________________________

Manager Signature: ___________________________
Date: ___________________________

This policy ensures the secure and compliant disposal of sensitive customer credit information, protecting customer privacy and reducing the risk of data breaches. Let me know if you need any adjustments or templates for destruction logs!