RICHARD CHEVROLET, INC.

INFORMATION SECURITY PROGRAM

(“SAFEGUARD RULE”)

(Rev. 10/2010)

     The “Safeguard Rule” deals with how Richard Chevrolet protects information about its customers.  The Safeguard Rule applies to all “financial institutions.”  Automobile dealers are considered financial institutions under the Safeguard Rule.  The Safeguard Rule requires Richard Chevrolet to adequately protect and safeguard “customer information” which is any record containing non-public information about a customer whether on paper, electronic or other form that is handled or maintained by or on behalf of Richard Chevrolet or its affiliates.  Such information includes consumer’s credit report or credit application, account numbers, bank balances, credit card information, etc…

PROGRAM OBJECTIVES:

1.                  Ensure the security and confidentiality of customer information.

2.                  Protect against any anticipated threats or hazards to the security and/or integrity of customer information.

3.                  Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

FIVE REQUIRED ELEMENTS FOR INFORMATION SECURITY PROGRAM:

1.                  Designate an employee to coordinate our I.S.P.

2.                  Reasonably identify internal and external risks to the security of customer information.

3.                  Design program and audit procedures to make sure of its effectiveness. 

4.                  Oversee service providers.

5.                  Evaluate and adjust I.S.P. as business changes and as result of audit by coordinator.

BREAKDOWN OF FIVE REQUIRED ELEMENTS:

1.                  The assigned coordinator is Jason Vianese.  His job will be to oversee the program from start to finish.  Develop, implement and maintain a written I.S.P.

2.                  Create a written policy for all outside vendors to comply with. 

AUDIT AND MONITORING REQUIREMENTS:

Outline of the I.S.P.:

Internal Security

A. Employees

1.                  All new employees will be given our written policy on customer information security and will be asked to abide by such program.  A copy of the policy is included in the employee handbook. Each employee signs an acknowledgement form, which is kept in their employee file. 

2.                  A background check is done on all new employees before they are hired.

3.                  New employees will be assigned a program/password to customer information/software/websites based on “need to know” and job requirement.

4.                  Current employees will be given our written policy on customer information security and will be asked to abide by such program.  A copy will be put in their employee file.

5.                  Any discarded, non-public customer information is to be shredded.  There are shredders in the F&I offices and main office.

B. Sales and F&I Departments

1.                  Customer file folders or customer information cannot be left lying around.  All customer information must be put away in locked file drawers.

2.                  All information faxed must be watched to make sure that no information is left on or by fax machines.

3.                  The F&I Department must keep its offices locked at night.  They cannot leave a customer alone in their office if they have other customer information left out.  All customer information should be in locked file cabinets if respective manager or salespeople are not in their office.

C. Service, Body Shop, Parts Departments and Best Rentals

1.                  Make sure only authorized personnel have access to customer information.

2.                  At times, a customer will give a credit card number over the phone.  Make sure the customer credit card number is destroyed after it is run through the credit card machine.

3.                  All tickets on Saturday that are processed have to be put away because they may contain customer credit numbers, copies of driver’s licenses, and/or checks with drivers license information and other such customer information attached to them.

D. Main Office

1.                  All file cabinets must be locked at night.

2.                  All credit card slips must be locked up.

3.                  Only authorized employees have computer access to customer information.

4.                  Prior year customer deals are currently in the back area and are bar locked.  The keys are in the office or in the F&I Department.  The Sales Department is requested not to remove the entire file but to write down or copy needed information only.

5.                  All prior customer deal folders are stored above the Parts Department.  Only authorized personnel are allowed in the Parts Department.  When unattended, the Parts Department is locked.

COMPUTER SAFEGUARDING

1.                  Employees are not allowed to give out their password(s).

2.                  Make sure all terminals have a password protected screensaver.

3.                  All passwords should be at least five characters long.

4.                  All companies that have dial-up permission must abide by our privacy rules.

5.                  All vendors that we no longer use must be deleted from the system.

6.                  All employees who are no longer employed must be deleted from our system.

7.                  Make sure we have current and up-to-date virus protection and firewalls so that no one can steal our customer base information.

8.                  Make sure any customer information that is transmitted by the Internet is monitored.

AUDITING AND EVALUATING THE PROGRAM

1.                  A daily spot check to make sure the files are not left on a salesperson’s desk.

2.                  Require offices and file cabinets to be locked.

3.                  Make sure all vendors and employees are deleted at termination.

4.                  Make sure the assigned programs that contain customer information are accessed by authorized personnel only.