Data Comes from Somewhere, So Let’s Protect It

Customer information security is top of mind today in the equipment finance industry. We are constantly reminded about securing sensitive data, and we have had webinars and ELFA Annual Convention sessions, etc. on this topic. It is great that there is industry-wide awareness, but we still have a long way to go.

I remember in 2014 as I was returning from an overseas assignment in Brazil, taking over the role of President at CNH Industrial Capital from a retiring mentor and friend, Steve Bierman. While attending my first dealer meeting, a distraught dealer approached me and said that he was cited by our auditors for not complying with credit compliance rules. I was shocked to learn that we required our dealers to maintain the signed paper credit application. Furthermore, our auditors periodically checked to see if every submission had a signed paper application. The dealer told me that his salespeople regularly got the applications from the customer, but often forgot to turn them in so that they could be stashed away in a filing cabinet. To say the least, I was flabbergasted, realizing that as one of the largest equipment lenders in North America, we did not have a better solution for our dealers. 

After some additional research, I discovered this was a “normal” industry practice. I met with my team, and we decided to modify our rules and encouraged our dealers to send the paper applications to us along with the retail or lease contracts for safe and secure storage. Then a dealer could destroy the sensitive material. That was a quick fix, and it turned out to be somewhat effective. 

Now fast forward to 2022 when customer information security is more important than ever. Recent updates to Gramm-Leach-Bliley and some state laws define harsh penalties for lack of compliance. Small businesses are encouraged to have insurance to protect themselves, but they will quickly learn that they do not have the tools or processes to comply. (Insurance will not cover breaches where dealers were non-compliment in how sensitive customer data is captured, stored and/or transmitted.)

While breaches have not been commonplace in the equipment industry yet, we have plenty of easy targets. Keep in mind 15 years ago breaches were not common in the dealer automobile industry. Today walk into a car dealer and try to find customer information or paper credit applications. The auto industry has learned the hard way. Platforms like DealerTrack and Route One got their start by solving how to easily protect sensitive customer credit information. Now they are mainstay providers for the auto industry. 

So, you are asking, why am I writing this article focused on equipment dealers? Well, it is simple. Lenders have taken a hands-off approach in our industry. It does not matter if you are a bank, independent or captive lender. Sure, dealer data may come through a secure portal, but the information originated somewhere, most likely a paper or PDF form credit application containing unprotected sensitive customer credit, either obtained in person or received via email. And often not secured properly to protect against misuse or theft. It is time for us to take a closer look, and help our dealers comply. Systems and processes need to be improved to mitigate a breach. If the customer (the dealer) is damaged, we are all damaged, reputation or otherwise. It is easier to be proactive today rather than reactive later.