RICHARD CHEVROLET INC.

INFORMATION SECURITY PROGRAM

(SAFEGUARD RULE)

(REVISED 12/31/08)

THE SAFEGUARD RULE DEALS WITH HOW RICHARD CHEVROLET PROTECTS INFORMATION ABOUT ITS’ CUSTOMERS. THE SAFEGUARD RULE APPLIES TO ALL “FINANCIAL INSTITUTIONS”. AUTOMOBILE DEALERS ARE CONSIDERED FINANCIAL INSTITUTIONS UNDER THE SAFEGUARD RULE.  THE SAFEGUARD RULE REQUIRES RICHARD CHEVROLET TO ADEQUATELY PROTECT AND SAFEGUARD “CUSTOMER INFORMATION WHICH IS ANY RECORD CONTAINING NON PUBLIC INFORMATION ABOUT A CUSTOMER WHETHER ON PAPER, ELECTRONIC OR OTHER FORM, THAT IS HANDLED OR MAINTAINED BY OR ON BEHALF OF RICHARD CHEVROLET OR ITS AFFILIATES.  SUCH INFORMATION INCLUDES CONSUMER’S CREDIT REPORT OR CREDIT APPLICATION, ACCOUNT NUMBERS, BANK BALANCES, CREDIT CARD INFORMATION, ETC.

PROGRAM OBJECTIVES:

1.                  INSURE THE SECURITY AND CONFIDENTIALITY OF CUSTOMER INFORMATION.

2.                  PROTECT AGAINST ANY ANTICIPATED THREATS OR HAZARDS TO THE SECURITY AND/OR INTEGRITY OF CUSTOMER INFORMATION.

3.                  PROTECT AGAINST UNAUTHORIZED ACCESS TO OR USE OF CUSTOMER INFORMATION THAT COULD RESULT IN SUBSTANTIAL HARM OR INCONVENIENCE TO ANY CUSTOMER.

FIVE REQUIRED ELEMENTS FOR INFORMATION SECURITY PROGRAM:

1.                  DESIGNATE AN EMPLOYEE TO COORDINATE OUR I.S.P.

2.                  REASONABLY IDENTIFY INTERNAL AND EXTERNAL RISKS TO THE SECURITY OF CUSTOMER INFORMATION.

3.                  DESIGN PROGRAM AND AUDIT PROCEDURES TO MAKE SURE OF ITS EFFECTIVENESS.

4.                  OVERSEE SERVICE PROVIDERS.

5.                  MUST EVALUATE AND ADJUST I.S.P. AS BUSINESS CHANGES AND AS RESULT OF AUDIT BY COORDINATOR.

BREAKDOWN OF FIVE REQUIRED ELEMENTS:

1.                  THE ASSIGNED COORDINATOR IS JASON VIANESE. HIS JOB WILL BE TO OVERSEE THE PROGRAM FROM START TO FINISH.  DEVELOP, IMPLEMENT AND MAINTIAN A WRITTEN I.S.P.

2.                  CREATE A WRITTEN POLICY FOR ALL OUTSIDE VENDORS TO COMPLY WITH.

AUDIT AND MONITORING REQUIREMENTS

OUTLINE OF THE I.S.P.:

INTERNAL SECURITY:

A. EMPLOYEES

1.                  ALL NEW EMPLOYEES WILL BE GIVEN OUR WRITTEN POLICY ON CUSTOMER INFORMATION SECURITY AND WILL BE ASKED TO ABIDE BY SUCH PROGRAM.  A COPY OF THE POLICY IS INCLUDED IN THE EMPLOYEE HANDBOOK. EACH EMPLOYEE SIGNS AN ACKNOWLEDGEMENT FORM, WHICH IS KEPT IN THEIR EMPLOYEE FILE.

2.                  A BACKGROUND CHECK IS DONE ON ALL NEW EMPLOYEES BEFORE THEY ARE HIRED.

3.                  NEW EMPLOYEES WILL BE ASSIGNED A PROGRAM/PASSWORD TO CUSTOMER INFORMATION/SOFTWARE/WEBSITES BASED ON “NEED TO KNOW” AND JOB REQUIREMENT.

4.                  CURRENT EMPLOYEES WILL BE GIVEN OUR WRITTEN POLICY ON CUSTOMER INFORMATION SECURITY AND WILL BE ASKED TO ABIDE BY SUCH PROGRAM. A COPY WILL BE PUT IN THEIR EMPLOYEE FILE.

5.                  ANY DISCARDED, NON-PUBLIC CUSTOMER INFORMATION IS TO BE SHREADED. THERE ARE SHREADERS IN THE F & I OFFICES AND MAIN OFFICE.

B. SALES AND F&I DEPARTMENTS

1.                  CUSTOMER FILE FOLDERS OR CUSTOMER INFORMATION CANNOT BE LEFT LYING AROUND. ALL CUSTOMER INFORMATION MUST BE PUT AWAY IN LOCKED FILE DRAWERS.

2.                  ALL INFORMATION FAXED MUST BE WATCHED TO MAKE SURE THAT NO INFORMATION IS LEFT ON OR BY FAX MACHINE.

3.                  F&I DEPARTMENT MUST KEEP THEIR OFFICES LOCKED AT NIGHT. THEY CANNOT LEAVE CUSTOMER ALONE IN THEIR OFFICE IF THEY HAVE OTHER CUSTOMER INFORMATION LEFT OUT. ALL CUSTOMER INFORMATION SHOULD BE IN LOCKED FILE CABINETS IF RESPECTIVE MANAGER OR SALESPEOPLE ARE NOT IN THEIR OFFICE.

C. SERVICE, BODY SHOP AND PARTS DEPARTMENTS

1.                  MAKE SURE ONLY THE AUTHORIZED PERSONNEL HAS ACCESS TO CUSTOMER INFORMATION.

2.                  AT TIMES A CUSTOMER WILL GIVE A CREDIT CARD NUMBER OVER THE PHONE. MAKE SURE THE CUSTOMER CREDIT CARD NUMBER IS DESTROYED AFTER IT IS RUN THROUGH THE CREDIT CARD MACHINE.

3.                  ALL TICKETS ON SATURDAY THAT ARE PROCESSED HAVE TO BE PUT AWAY AND NOT LEFT OUT BECAUSE SOME OF THEM HAVE CUSTOMER CREDIT NUMBERS, CHECKS WITH DRIVERS LISCENSE AND OTHER CUSTOMER INFORMATION ATTACHED TO THEM.

D. MAIN OFFICE

1.                  ALL FILE CABINETS HAVE TO BE LOCKED AT NIGHT.

2.                  ALL CREDIT CARD SLIPS HAVE TO BE LOCKED UP.

3.                  ONLY AUTHORIZED EMPLOYEES HAVE COMPUTER ACCESS TO CUSTOMER INFORMATION.

4.                  PRIOR YEAR CUSTOMER DEALS ARE CURRENTLY IN THE BACK AREA AND ARE BAR LOCKED. THE KEYS ARE IN THE OFFICE OR IN THE F&I DEPARTMENT. THE SALES DEPARTMENT IS REQUESTED NOT TO REMOVE THE ENTIRE FILE BUT TO WRITE DOWN OR COPY NEEDED INFORMATION ONLY.

5.                  ALL PRIOR CUSTOMER DEAL FOLDERS ARE STORED ABOVE THE PARTS DEPARTMENT. ONLY AUTHORIZED PERSONNEL ARE ALLOWED IN THE PARTS DEPARTMENT.  WHEN UNATTENDED THE PARTS DEPARTMENT IS LOCKED.

COMPUTER SAFEGUARDING

1.                  EMPLOYEES ARE NOT ALLOWED TO GIVE OUT THEIR PASSWORD(S).

2.                  MAKE SURE ALL TERMINALS HAVE A PASSWORD PROTECTED SCREENSAVER.

3.                  ALL PASSWORDS SHOULD BE AT LEAST FIVE CHARACTERS LONG.

4.                  ALL COMPANIES THAT HAVE DIAL UP PERMISSION MUST ABIDE BY OUR PRIVACY RULES.

5.                  ALL VENDORS THAT WE NO LONGER USE MUST BE DELETED FROM THE SYSTEM.

6.                  ALL EMPLOYEES WHO ARE NO LONGER EMPLOYED MUST BE DELETED FROM OUR SYSTEM.

7.                  MAKE SURE WE HAVE CURRENT AND UP-TO-DATE VIRUS PROTECTION AND FIREWALLS, SO THAT NO ONE CAN STEAL OUR CUSTOMER BASE INFORMATION.

8.                  MAKE SURE ANY CUSTOMER INFORMATION THAT IS TRANSMITTED BY THE INTERNET IS MONITORED.

AUDITING AND EVALUATING THE PROGRAM

1.                  A DAILY SPOT CHECK TO MAKE SURE THE FILES ARE NOT LEFT ON A SALESPERSON’S DESK.

2.                  REQUIRE OFFICES AND FILE CABINETS TO BE LOCKED.

3.                  MAKE SURE ALL VENDORS AND EMPLOYEES ARE DELETED AT TERMINATION.

4.                  MAKE SURE THE ASSIGNED PROGRAMS THAT CONTAIN CUSTOMER INFORMATION ARE ACCESSED BY AUTHORIZED PERSONNEL ONLY.