Gallaer said a dealership's plan must:
- Detail how consumers will be notified, as the law doesn't stipulate how. "It should be the way most likely to get in touch with them," he said. It also is important that the dealership be able to track and document its efforts to reach customers, he added.
- Identify the employee designated to carry out the plan. In small dealerships, it is typically the general manager or office manager; in large dealership groups, it might be a compliance person, Gallaer said.
"The idea is that you have somebody in your organization with the authority to put the processes in place and monitor them," he said. "It has to be an employee."
- Explain how the dealership protects consumers' personal information, such as limiting access to sensitive data to essential personnel; limiting access to and periodically changing passwords; and avoiding employees sharing passwords and other computer identification.
And don't forget to secure the physical environment, Gallaer says.
"Things like locking up your files, and if you have a computer server on-site that has customer files on it in an electronic format, you want to have that area secure, too," he said.
If a breach occurs, the Federal Trade Commission, under Gramm-Leach-Bliley, could conduct an investigation of the dealership or file a lawsuit against it, Gallaer said. A good plan can prevent either of those things from happening, he added.
"The dealership is going to want to show that it complied with the law," he said. "You could have a terrible breach and still have zero liability because you had these great procedures and something happened outside of your control."