Dealership

Policy Documents and Written Reports

Without a Safeguards Policy in place, you are not only breaking the law, but you are also leaving your employees in the dark about what is expected of them when it comes to handling customer data.

What is a policy document?

A policy is a system of guidelines intended to guide the decisions of management and employees to achieve the desired outcomes. A policy document is the archived form of your policy, distributed and acknowledged by your employees.

 

You should have a Sexual Harassment Policy document that all employees read and acknowledge as well as an employee handbook that new employees must read and acknowledge upon hire. These documents outline the basic rules of the workplace and set the tone for the type of behavior that is expected from each employee.

Your dealership may also need specific policies to address regulations that impact your business. Mosaic designed its policy solution to follow industry-standard Safeguards guidance as closely as possible. Once customized for a particular dealership, those policy documents are retained and deployed through Mosaic’s online Learning Management System.

Deploying these documents through the learning management system allows employees to easily read and acknowledge the policy documents. Those acknowledgments are stored in perpetuity so if there is ever an issue they can be easily retrieved.

Why is a Safeguards Policy important for my dealership?

Having an adequate Safeguards Policy is important for several reasons. First, it is a requirement to have a Safeguards Policy under the FTC Safeguards Rule. Second, your Safeguards Policy will reflect the aspects of your overall Safeguards Program that affect day-to-day operations and the duties of individuals employees.

You should take the rules and behaviors laid out in this document seriously and your employees should too. The policy document should contain rules regarding the handling of customer non-public information in the three areas covered by the Safeguards Rule: Physical, Administrative, and Technical. In each of these areas, there will be specific rules and actions that you or your employees must take in the protection of customer data.

Without a Safeguards Policy in place, you are not only breaking the law, but you are also leaving your employees in the dark about what is expected of them when it comes to handling customer data.

What is a written report?

A written report is an annual requirement of the Revised FTC Safeguards Rule. This report should be presented to the dealership’s board of directors or senior management if the dealership doesn’t have a board of directors. The report should include all the documentation collected through the implementation of your Safeguards Program. Some of this documentation will include:

  • documentation of service providers’ compliance with the Rule

  • reports generated from network vulnerability assessments, penetration testing, and/or your continuous network monitoring platform

  • documentation of employee training on the Safeguards Rule

  • documentation of ongoing training of your Qualified Individual