POLICIES
Safegaurds: Customer Information Security Policy - Continued Customer Information May Be Shared With Authorized Individuals And Vendors, Only Customer Information may be shared with third parties as follows: • The guest, upon providing government identification or a notarized request • The guest’s agent, upon providing a power of attorney or other legal document, as well as government identification • Authorized vendors who have passed a safeguard review by the Director of Cybersecurity • Law enforcement may view Customer Information upon providing government identification. Law enforcement may only remove Customer Information upon providing a subpoena or similar authorization. • Government agencies, OEM and financial institutions with a right to inspect or audit may access Customer Information. • All vendors receiving Customer Information undergo a security risk assessment. You must never share or purchase Customer Information from anyone other than a vendor approved by the Director of Cybersecurity. • The following are examples where Customer Information may not be shared: • Prohibited: Obtaining customer lists from a vendor or prior employer for marketing purposes. The Company’s Marketing Department must approve all customer lists. • Prohibited: Paying someone to mail birthday cards to your favorite clients. Guest names, contact information and birth dates are safeguarded information and may not be shared even for positive reasons. • Prohibited: entering Customer Information into an unapproved application, even if the application has a good reputation, such as Google or Facebook. • Be alert for fraudulent attempts to obtain your password or Customer Information. Be particularly wary of any request that occurs over the phone or email. Identity Thieves have very clever ways to pose as legitimate customers, vendors or government officials. Report suspicious activity to dealership management or law enforcement. Customer Information Disposal Must Be Secure • Customer Information must be securely destroyed in two years, or less, unless subject to a longer retention period under the Company’s Record Retention Policy. • When disposing of paper Customer Information, you must use a secure (locked) waste bin or shred the information. • When disposing of digital Customer Information, you must fully wipe all digital data before reusing or discarding data storage equipment (including where old data storage equipment is sold or released). • Dispose of equipment only as authorized by the IT help desk. This is because computer, tablet photocopier and other equipment hard drives may contain Customer Information which must be removed before disposing or returning the leased equipment. Exceptions to this policy must be approved by the Director of Cyber Security
62 No policy should be construed to confer any express or implied contractual relationship or rights to any Team Member. The Company reserves the right to modify any policy as necessary, in its sole discretion, to the extent permitted by law. Violation of any Company policies or procedures can result in disciplinary action up to and including termination of employment. If you have any questions about this handbook or Company policies, please feel free to discuss with your Manager or HR.
Made with FlippingBook flipbook maker