Failure To Protect Data May Violate The FTC Act

The Federal Trade Commission (“FTC”) has recently targeted dealers whose advertisements are deceptive or who engaged in unfair trade practices.  Because businesses from different industries may conduct their affairs in a similar fashion, it is important to monitor actions brought by the FTC against other businesses.  A recent enforcement action initiated by the FTC against a medical billing company may have a profound impact on automobile dealers.

Accretive Health, Inc. (“Accretive”), provides medical billing and revenue management services to medical providers throughout the United States.  Because of the services it provides, Accretive collects significant amounts of nonpublic personal information on patients.  This information includes social security numbers, dates of birth, billing information, and medical records.  The laptop of an employee of Accretive was stolen from the employee’s car.  The laptop contained twenty million pieces of information on twenty three thousand patients.  The FTC alleged in its complaint that Accretive’s practices were inadequate to safeguard against these kinds of thefts, and placed patients’ information at considerable risk.  Citing Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” the FTC claimed that Accretive’s practices likely caused “substantial injury to consumers that is not offset by countervailing benefits” and “is not reasonably avoidable by consumers.”

With the popularity of “Bring Your Own Device,” it is easy to imagine a situation where a dealership’s data is compromised in a similar manner as Accretive’s.  For example, suppose your employees use their personal smartphones or laptops to access your DMS or CRM.  The theft of a smartphone or laptop could allow an unauthorized individual access to consumers’ nonpublic personal information.  Without processes in place to safeguard consumers’ data, dealers may face liability for violating several laws, including the FTC Act.

Many dealers are aware of their responsibilities to protect nonpublic personal information from theft or other loss.  The Safeguards Rule of the Gramm-Leach-Bliley Act requires dealers to implement processes to safeguard consumers’ information, and make modifications to their processes that are necessary to protect this information.  The Red Flags Rule requires dealers to implement and maintain processes to detect identity theft, and make any changes required to improve the efficacy of the processes.  Each of these laws has its own enforcement mechanisms and civil penalties.  Now, the FTC appears willing to interpret Section 5 of the FTC Act to include data losses, under certain circumstances, as deceptive practices.  Unfortunately for dealers, this means that a data loss may trigger liability under the FTC Act, in addition to any liability under the Safeguards Rule or Red Flags Rule.

Is Your Dealership Ready For Changes To The Telephone Consumer Protection Act?

Recently the Federal Communication Commission (“FCC”) enacted new rules and regulations related to the Telephone Consumer Protection Act (“TCPA”), which regulates how companies may contact consumers by telephone.  TCPA prohibits companies from contacting consumers via automated dialing systems, either by text or by telephone, without prior express consent of the party called.  These rules, effective October 16, 2013, significantly change what constitutes prior express consent.

TCPA now requires firms to obtain prior written consent for auto-dialed marketing or advertising calls and text messages.  Acceptable written consent must include clear and conspicuous disclosures that the consumer consents to receiving auto-dialed calls or text messages, including pre-recorded messages, on behalf of a specific seller, and clear and unambiguous acknowledgement that the consumer consents to receive such calls and text messages at the number provided.  The company cannot condition the sale of goods or services on the consumer consenting to receive auto-dialed marketing or advertising calls, and the caller bears the burden of demonstrating the consumer consented to the contact.   An “opt-in” text reply alone may not meet the new prior written consent required by TCPA.  These revisions apply retroactively, so any companies that have received consent prior to the enactment of these new rules will likely have to obtain consent from the consumer again.

Dealers have to be mindful of how these changes to TCPA affect their businesses.  First, if you utilize a third-party to solicit consumers via calls or text messages, you must ensure that your vendor complies with TCPA.  If not, you may find your business liable for violations of the law (see: “Lithia Faces $2.5 Million Tab For Texting”).  Even if you do not use an outside vendor in the aforementioned manner, you may still have to comply with TCPA if you use a device capable of auto-dialing to contact consumers by text or by telephone.  It is likely that TCPA’s restrictions encompass computers capable of auto-dialing.  So, if you utilize a service such as Google Voice, Skype, or an auto-dialer through a CRM system, you will likely need to obtain prior written consent before soliciting consumers by calls or text messages.

Recording F&I Transactions? Here Are Three Things To Consider

 An editor of Automotive News recently reported on a seminar held at a F&I conference where the panelist generally endorsed using video cameras to record transactions in the F&I office.  There are pros and cons to recording these transactions.  While recordings can be helpful tools for enforcing compliance, training staff, and rebutting accusations by consumers of wrongdoing in the F&I office, they can also be the “smoking gun” of unlawful business practices that provide plaintiffs or regulators with the evidence needed to impose costly penalties and damages.

Deciding whether to record F&I transactions takes more thought than merely selecting what equipment to use.  Before you get your cameras rolling, you should consider the following:

Will You Record Every Transaction?  That one transaction your staff forgets to record could be the one where problems arise.  Worse, an employee who is violating the law may selectively record transactions or edit recordings in order to hide any transgressions.  If you decide to record your F&I staff, you should consider mandating that every F&I transaction is recorded.   If a consumer refuses to be recorded, document the refusal, and maintain adequate records to help reconcile all transactions against ones recorded.

How Does Recording F&I Transactions Fit With Your Coaching And Counseling Processes?  You should train your staff on how to record the transactions, including obtaining the consumer’s informed consent.  This will require developing a consistent script to use with consumers to obtain consent, and some written document signed by the consumer evidencing consent.  You will need to designate who will review the videos and what remedial steps are taken when problems are discovered.  Remember, supervisors should not to use the videos in a manner that demeans or humiliates their subordinates.  These ‘candid camera’ moments, used at the expense of the employee, could provide ample evidence for an employment discrimination claim.

How Does Recording F&I Transactions Fit With Your Compliance Programs?  Laws such as the Safeguards Rule and the Red Flags Rule impact how you record F&I transactions and store the recordings.  It is likely that these recordings will capture information protected by state and federal law, such as nonpublic personal information, so you will have to take necessary steps to protect this information, and determine when breaches occur.  You will need to amend the documents and records you maintain for compliance programs accordingly.

 

 

FTC Continues Crackdown On Dealers

I recently wrote about the Federal Trade Commission’s (“FTC”) vigorous enforcement of consumer protection and privacy laws against automobile dealers.  In these previous enforcement actions targeting dealers, the FTC found that advertisements related to negative equity were deceptive and unfair, and that dealers failed to take adequate steps to safeguard consumers’ nonpublic personal information from tampering via Peer to Peer (“P2P”) networks.  Now, two dealers entered into consent agreements with the FTC to settle claims of unfair and deceptive trade practices related to advertisements placed by the dealerships online and in print.

The FTC charged that dealers in Maryland and Ohio “violated the FTC Act by advertising discounts and prices that were not available to a typical consumer…[and] misrepresenting that vehicles were available at a specific dealer discount, when in fact the discounts only applied to specific, and more expensive, models of the advertised vehicles.”  The Maryland dealer’s website “touted specific “dealer discounts” and “internet prices,” but allegedly failed to disclose adequately that consumers would need to qualify for a series of smaller rebates not generally available to them.”  The Ohio dealer “allegedly failed to disclose that its advertised discounts generally only applied to more expensive versions of the vehicles advertised.”  To settle these actions, the dealers agreed to comply with the FTC’s order for twenty years, and maintain records of advertisements and promotional materials for the FTC’s inspection, upon request, for five years.

Once again the FTC demonstrated its willingness to extend protections offered by the FTC Act against deceptive and unfair practices to online advertisements placed by dealers.  The FTC’s scrutiny of dealers’ advertisements clearly is not limited to “traditional” media, such as television and newspaper.  Furthermore, the Maryland and Ohio dealer used advertising methods (combining rebates and stating a percentage discount from MSRP) that dealers use frequently.  Therefore, dealers must endeavor to curtail the use of terms and methods that the FTC has determined are deceptive and unfair.

If you have not done so, you should download the FTC’s “.com disclosures,” which offer guidance on what you must disclose in your online advertisements.  Your state’s Attorney General’s office may provide similar guidance.  For example, New York’s Attorney General publishes advertising guidelines for New York dealers.  While your state’s Attorney General may not have issued guidance regarding online advertising, you should not interpret this absence as carte blanch to advertise however you wish.  Each state has enacted its own version of the FTC Act, and many state Attorney General’s closely watch the FTC and adopt it’s posture related to enforcement of consumer protection laws.  So, even if your state’s Attorney General has yet to act, chances are that advertisements like the ones cited above may be deemed deceptive and unfair under your state’s law should a consumer or the Attorney General challenge the advertisements.

Minimizing The Risks Of Taking Credit Applications Over The Telephone Or Internet

The Fair Credit Reporting Act (“FCRA”) restricts reasons dealers may use to obtain, use, and share credit reports.  In addition to these restrictions,FCRA requires dealerships to provide certain notices to consumers applying for credit.  Dealerships should only obtain credit reports from consumers when they have express permission to do so.  Issues arise when consumers make inquiries about obtaining financing when they are not physically present at the dealership.  In these cases, it is imperative that the dealership has processes in place to obtain consumers’ written consent or otherwise show they have permission to obtain credit reports on behalf of consumers.  Otherwise, consumers may claim the dealership violated FCRA by accessing the their credit reports without prior consent.

You will need to determine whether your dealership will accept credit applications from consumers that are not physically present at the dealership.  There are inherent risks associated with accessing credit reports when the applicant is not at the dealership that you will need to balance with business considerations such as customer expectations, convenience, and pressure from competitors.  If you choose to accept credit applications and obtain credit reports for consumers prior to them visiting the dealership, you will need to consider implementing the following safeguards in order to stay complaint with FCRA.  For inquiries initiated over the internet, make sure your website requires credit applicants provide “digital authorization,” such as a box applicants check signifying they consent to the dealership accessing their credit reports.  Also, you should only accept credit applications that applicants submit through an encrypted system, such as a form on your website, and not unencrypted media such as email.  If the applicant submits an inquiry over the telephone, you should consider asking the applicant to make an inquiry over a secured, encrypted, form such as one located on your website.  If the applicant is unable to do so, your staff should note on the credit application the date and time they received the application and ask the applicant to send a facsimile authorizing the dealership to access the credit report.

Once the applicant visits the dealership, you should have him or her compete a credit application, sign it, and retain a copy in the applicant’s file.  You are required to provide adverse action notices or credit score disclosures regardless of whether the consumer initiated a credit inquiry at your dealership or remotely, and your processes regarding credit applications submitted by telephone or the internet should incorporate your dealership’s Red Flags Rule and Safeguards Rule compliance programs.  Effective training and monitoring of employees’ access to consumers’ credit reports will help your dealership stay compliant with the FCRA and avoid potential lawsuits.

Three Things To Remember When Selling Vehicles Online

carbuying_102_600

According to a recent study by JD Power, customers visit an average of 1.4 dealerships before purchasing a vehicle.  As recent as 2005, consumers visited 4.5 dealerships before purchasing.  By using resources available on the internet to gather information, customers can significantly narrow the list of potential vehicles they wish to purchase without having to visit as many dealerships.  Many dealers recognize the power of the internet and resources available to generate leads and traffic. Moreover, state and federal regulators recognize that customers are relying on information provided on the internet when making purchases.  In response, regulators are becoming more inclined to intercede on behalf of consumers and target questionable practices related to advertisements on the internet.  Here are three points to help keep your dealership compliant when marketing and selling vehicles online:

  • Treat Your Online Ads Like Your Offline Ads:  Recently the Federal Trade Commission (“FTC”) published its long-awaited guidelines on how the FTC views practices related to online advertisements.  In summary, the guidelines apply many standards that the FTC applies to advertisements placed in newspapers, television and radio.  For example, when online advertisements include “trigger terms,” like payments or price, dealers must make full disclosure of how they arrived at the price or payment, including down payment, APR, availability, credit score requirements, and so on.  Not only must you make the necessary disclosures and avoid claims that are “unfair,” or “deceptive,” but you also must make sure that these disclosures are legible on a host of devices, including desktop computers and mobile phones.  This requirement mirrors the FTC’s requirement for legible disclosures appropriate to the advertising medium used.  So, download the FTC DotCom Disclosures, review it thoroughly, and remember to be as vigilant with monitoring your online advertisements as you would be monitoring your offline advertisements.
  • Safeguard Consumers’ Data:  In addition to researching pricing and availability of vehicles online, many consumers seek to secure financing by submitting their credit information to dealers.  If your dealership collects nonpublic personal information via online submissions (over email or by a form on your webpage), you must make sure your Safeguards Rule and Red Flags Rule compliance plans address how you protect this information and detect possible identity theft.  You should inventory who has access to this information and where the information is sent.  For example, if you allow sales personnel to receive consumers’ nonpublic personal information on their smartphones or personal email account, your policies should address how you protect this information.
  • Deliver Vehicles At Your “Brick And Mortar” Location:  Even though consumers conduct the bulk of their research online, vehicle transactions typically occur at a dealership’s physical location.  That may not always be the case, especially as more and more consumers rely on the internet to facilitate exceedingly complex transactions.  While you may choose to aggressively market your business online, your goal should be to encourage consumers to take physical delivery at your dealership.  Why?  Some states allow for “cooling off” periods where consumers can rescind the contract if they take delivery of vehicles away from the dealer’s premises.  Also, many states allow consumers to rescind retail installment contracts if both parties have not executed the agreement.  For example, if you print the deal paperwork and mail it to a customer to sign, the consumer may void the contract up to the point your dealership’s representative countersigns the contract.  Furthermore, if you sell and deliver a number of vehicles to consumers in a different state than your state of residence, consumers in that state may seek to sue you in that state’s courts, should a conflict arise.  They may successfully argue that you have availed your business of the state’s jurisdictions by soliciting business within the state.  Requiring consumers to complete the transaction by signing the paperwork, and taking delivery, at the dealership should mitigate risk of consumers bringing these kinds of claims.

Image Courtesy of Edmumds.com

How Mobile Phones Fit Into Your Compliance Processes

 

In a few short years mobile phones have become ubiquitous in both our personal and professional lives.  Modern smartphones allow businesses to communicate rapidly with consumers and help employees work together effectively.  Mobile phones on the market today can send and receive emails, upload media to social sites like Facebook and YouTube, and capture high quality images and video, among other capabilities.  As more and more employees use cell phones, whether they use personal devices or ones issued by your business, it is imperative that your processes address how employees are permitted to use these devices.  Here are a few issues to consider regarding employees and cell phone usage at your business:

Distracted Driving:  Many states, such as New York and New Jersey, penalize drivers who are caught operating a motor vehicle while communicating via text messaging.  These prohibitions are generally aimed at preventing “distracted driving.”  Your business may incur liability if employees injure others or damages property while operating one of your dealership’s vehicles and text messaging.  OSHA may fine your business if an employee is injured in this manner based on your dealership’s obligation to provide a workplace free of serious hazards.  In order to mitigate potential liability from personal injury lawsuits and OSHA fines arising from distracted driving, your employee handbook should clearly communicate your dealership’s policies against distracted driving.

Sensitive Data:  Mobile phones used in conjunction with business activities are covered under federal and state laws that address privacy and fraud prevention, like the Safeguards Rule of the Gramm-Leach-Bliley Act and the Red Flags Rule.  If your employees receive nonpublic personal information on mobile phones, your compliance processes must include how you safeguard this information and what steps your business takes to monitor employee use of this information.  Laws such as the Safeguards Rule and the Red Flags Rule require businesses to conduct ongoing evaluations of processes and implement changes when they find shortcomings.  Do not forget to include mobile phones in your review of your compliance efforts.

Personal vs. Private Use:  There are several issues that involve employees’ use of mobile phones that blur personal and private use.  For example, does your business provide mobile phones or do you allow employees to BYOD (Bring Your Own Device)?  If you provide mobile phones, are employees allowed to use them for personal reasons?  Do you have ways to remotely lock and erase data contained on mobile phones should employees lose them?  Are employees permitted to use their personal mobile phones to act on your company’s behalf, such as posting content to the dealership’s social media websites or answering leads?  Do you allow employees to receive consumers’ nonpublic personal information on their personal mobile phones?  Do employees use mobile phones to conduct business on behalf of your dealership while “off the clock?”  Each of these questions present issues that your business should address in your employee handbook.