An ounce of prevention is worth a pound of cure.
That's the proverb Matt Woods, director of field operations at the Austin, Texas, dealership consultancy Service Group, stands by when it comes to security in the F&I department.
Take an unlocked filing cabinet in an F&I manager's open, unattended office, for example. How much could that filing cabinet, stuffed with customers' private information, be worth to the dealership? A boatload -- in fines.
"If you have a piece of customer information that is not safeguarded properly, there's a [noncompliance] fine of $40,000 per day," Woods said. "That's where it can be extremely hazardous for a dealer to have stuff sitting out."
Say there are eight files in the cabinet; that's a $320,000 fine, he said.
Dealerships are charged by law with protecting customers' personal information, which can include copies of driver's licenses, Social Security numbers, salary information and insurance cards.
The information must be kept for at least 25 months, according to federal regulations. But stores sometimes hold onto files, including dead deals, far longer to protect themselves against potential consumer lawsuits.
To be compliant in protecting information, dealerships need to lock doors and cabinets and make sure that computers will time out to a password-protected login page.
But even those measures might not solve the problem because of the potential for human error, says David Missimer, vice president of Automotive Compliance Consultants in suburban Chicago.
"A lot of it is common sense, but from a practical standpoint, if you get up and get a cup of coffee, you're not going to lock your door every time" Missimer said.
Dealerships should make small adjustments to guard against simple mistakes. For example, the store could switch out a key lock for a keypad that automatically locks the door and implement a standard written process for restricted access to files, including establishing detailed logs, he said.
"That takes some vigilance, training and auditing and continuing compliance programs to get everyone into a culture of treating that information securely at all times -- because nobody is intentionally trying to jeopardize anything," Missimer said. "We're all human beings, so we need reminders."
Even foolproof protocols can't stop stores' physical information overload, however.
Woods has seen files packed into cabinets in the F&I manager's office and off-site storage areas and hidden in different departments of the store. Sometimes the files are in fireproof, locked file cabinets; sometimes they sit in rows of cardboard boxes.
The easiest solution, he says, is to go digital and put all customer information into a cloud-based computer system to create as little paper as possible.
Instead of making copies, scan licenses, cards or documents directly into the computer system. Online credit and financing applications also help prevent printing and copying information.
Important documents can't be lost in a storage room or destroyed by a fire when they're in a system, Woods says, and are easy to pull for an audit or customer concern.
But it's not yet possible to rid the entire F&I process of paper, says Jim Maxim, president of MaximTrak, a RouteOne F&I digital tools provider in Wayne, Pa.
Together, MaximTrak and Route-One are working to give customers the option to go fully online to finance vehicles and purchase F&I products.
"There's a fragmentation in the industry," Maxim said. There's no set standard for which documents can be digital-only among different state agencies, motor vehicle departments, manufacturers, banks and individual dealerships.
"If you're looking at a model where dealers go paperless, it takes industry collaboration and integration and takes willingness to innovate and build out those platforms that help digitize," he said. "Some folks have gotten different parts of that [digital] segment, but nobody has it all."
Until then, Woods, of Service Group, advises, "If you can do something digitally, do it."