Those impacted by the Texas IDA include any business in Texas that collects personal information, whether from workers or customers. Something as simple as a printed email with the email address visible and a person’s name qualifies. The Act applies to company documents developed before, on, or after the day the Act took effect.
In complying with areas of the Act describe a company's responsibilities as:
698(3) (d) When a business disposes of a business document which contains individual identifying info of a customer of the business, business should modify, by shredding, eliminating or various other methods, the personal identifying information to make it unintelligible or undecipherable. 698(3) (e) A business is in conformity with Subsection (d) if the business agreements with an individual or entity participated in the business of disposing of records for the adjustment of individual identifying information in support of business according to Subsection (d).
The Texas Information Disposal Act entered into law on September 1, 2005
- Gramm-Leach-Bliley Act Privacy Rule. Auto Dealers are considered financial institutions. The GLBA requires auto dealers to protect the privacy of their customers and protect the security and confidentiality of their data. This legislative requirement impacts how auto dealers can collect, store, and share a client's personal and financial information. Dealers must take steps to ensure that customers understand how their data is shared, and that data is adequately secured or disposed of properly.
The GLBA also requires companies to take real, tangible steps towards information security. This includes a written information security plan, a regular, thorough risk analysis, and more. Financial Institutions / Auto dealers must make specific efforts to comply or risk penalties.
- Disposal Rules. The disposal rule is a federal regulation which requires companies that collect consumer reports to dispose of them in a secure process that ensures customer privacy. Proper disposal includes shredding papers in all departments, secure destruction of all digital records, and more. Auto dealers must be sure purchase orders, repair orders, and consumer reports are not left disorganized and unaccounted for. Or at worst not just simply thrown into the trash or a recycle bin.
- Used Car Rule. This regulation mandates auto dealers post a Buyer's Guide before offering a used vehicle for sale. This guide must include information on the car's warranty, an advisory to have the vehicle inspected by a mechanic before the purchase and information about the major mechanical and electrical systems in the vehicle. Dealers must be 100% sure this guide is posted "prominently and conspicuously" on any used car for sale.
- Equal Credit Opportunity Act. Auto dealers are considered lenders and must comply with ECOA. This means dealers must not discriminate based on factors like race, color, religion, national origin, sex, marital status, or age when providing loans. This law also requires that dealers notify applicants of action taken on their applications, report credit history in the names of both spouses on an account, retain records of credit applications, and properly dispose of this information when it is no longer of use.
- Red Flags Rule. This law requires that auto dealers have a written Identity Theft Protection Plan (ITPP) designed to detect and protect against the common warning signs of identity theft. This includes checking for suspicious documents, reviewing unusual changes in a customer's credit report or account activity, and more. Dealers are accountable for and required to be proactive in protecting against identity fraud to comply with the Red Flags Rule.
- Form 8300 and Reporting Cash Payments of Over $10,000. Auto dealers may deal with large cash payments when selling cars, and as such must comply with these federal reporting requirements. Your dealership must file a Form 8300 whenever a cash payment of over $10,000 is received. This form is used by the IRS and Financial Crimes Enforcement Network (FinCEN) in protecting against money laundering.
- Office of Foreign Assets Control (OFAC). The Office of Foreign Assets Control administers and enforces economic and trade sanctions against targeted countries and groups, especially groups involved with terrorism, drug trafficking, and other crimes. Auto dealers are required to check customers' names against the Specially Designated Nationals List - a list of people and groups targeted by the OFAC.
- OSHA 29 CFR 1910.157. Almost every business, including auto dealers, is required to have an Emergency Action Plan to "facilitate and organize employer and employee actions during workplace emergencies." Your dealership must have this written document prepared to protect employees and comply with OSHA standards.
- Regulation Z. This is also known as the "Truth in Lending Act" and requires that lenders, including auto dealers, disclose all credit terms in a clear and meaningful way. It also requires that lenders use the same standard terminology and expression of rates. Auto dealers must be sure customers are presented with clear written information about the terms of their loans to comply with this regulation.
Does your auto dealership comply with all of the above laws and regulations? Are you avoiding data breaches through physical security? Do you have at least one secure shred container in every department that handles consumer information (Sales, F&I, BDC, Service Drive, Body Shop, Accounting.) Many auto dealerships have not met the required compliance standards and may find themselves subject to hefty fines and other legislative regulatory and legal issues as a result of non-compliance.
To learn more about the laws and regulations concerning information security risks or receive a no obligation on-site security risk assessment, and/or to build a comprehensive Information disposal program for your auto dealership, contact PROSHRED® of Houston or call 832-947-5700 to speak with an certified information destruction specialist.