Your Privacy Rights
Information Security Policy
DON THORNTON AUTOMOTIVE, LLC
Safeguarding Customer Information
Information Security Plan
Lexus of Tulsa and Land Rover Tulsa
Introduction / Background
On July 1,2001 the Gramm-Leach-Bliley Act and the FTC Privacy Rule was imposed, obligating Don Thornton Automotive, LLC (DTA) to disclose to our finance, lease and insurance customers how we use and share consumer information. On May 23,2003, the Federal Trade Commission has issued a rule governing the safeguarding of customer records and information for the financial institutions subject to its jurisdiction. The Rule implements the safeguards provisions of the Gramm-Leach-Bliley Act (GLB Act), which requires dealers to develop, implement and maintain a comprehensive written information security program. It also requires dealers to ensure their affiliates maintain appropriate safeguards, and dealers must select and retain service providers that are capable of maintaining appropriate safeguards, for the customer information dealers share with them. The compliance date for the Privacy Rule was July 1, 2001 and the final compliance date for the Safeguard Rule is May 23,2003.
Information Security Policy Objectives
· Insure the confidentiality and the security of our customer's private information
· Protect against any anticipated threats to the security of our customer's private information
· Protect against any unauthorized access to our customer's information that could result in any damage or inconvenience to them
For purposes of this policy, the Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a dealership product or service, unless that information is otherwise publicly available.
Any information an individual has given to get a dealership product or service (name, address, income, social security number, or other information on an application)
Any information from a transaction involving our financial products or services (for example, the fact that an individual is our customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
Any information received from an individual in connection with providing a dealership product or service (for example, information from court records or from a consumer report
Information Security Policy
The Managing Program Coordinator has been assigned to periodically review our compliance and document any and all inconsistencies to the Vice President of Operations. Corrections will be made as dictated. Each manager is responsible and accountable for the compliance of their employees and their department. The Managing Program Coordinator is David Litzinger, the General Manager at Lexus of Tulsa. Department Program Coordinators are as follows:
· New Vehicle Sales - Lexus of Tulsa - Todd Morrison
· Used Vehicle Sales - Lexus of Tulsa - Todd Morrison
· Service Department - Lexus of Tulsa - Ted Dollar
· Parts Department - Lexus of Tulsa- Rich Epperson
· Accounting- Lexus of Tulsa - Wayne Pitts
· Information Systems - Lexus of Tulsa - Larry Thomas
· F & I Department - Lexus - Reagan Allison Ford
The safeguard program shall be implemented and maintained by the above personnel as designated by the Dealership. The Managing Program Coordinator shall maintain continuing education of safeguard data protection and shall report to the Vice President of Operations as new policies or procedures may become necessary. Delegation and outsourcing the performance of any function under the Information Security Program may be necessary from time to time.
In the event any coordinator leaves the employment of the Dealership, the Vice President of Operations shall take over those responsibilities until a new coordinator is designated.
The Vice President of Operations shall inspect the Dealership and determine any and all risks to the security of customer information. The inspection shall cover all relevant areas of the operation and shall include the following:
· Employee/Management training
· Systems and procedures
· Network and software
· Response to system failures or attack
Once risks have been identified, the Vice President of Operations and the Managing Program Coordinator will determine whether the current policies and procedures are adequate to comply with the established privacy standards. If the risks are too great, the PC (Program Coordinator) shall revise and implement new policies and procedures to protect the customer's "non-public information".
Audits and Inspections
The Managing Program Coordinator shall test/audit the effectiveness of the policies and procedures periodically but at least on a quarterly basis. The results of those inspections should be presented in writing to the Vice President of Operations.
The Managing Program Coordinator shall be responsible for overseeing service providers who have access to our customer information and that they are capable of maintaining appropriate safeguards for their NPI. It may be necessary to require them by contract to implement and maintain such safeguard policies. The Vice President of Operations shall review and approve each service provider contract/policy prior to its execution by the Dealership.
The Dealership shall keep the Managing Program Coordinator apprised of the nature and extent of all third party relationships and any operational changes or other matters that may impact the security or integrity of the Dealership' s customer information.
Personally identifiable information generated by the Lexus of Tulsa website forms will be used and tracked by Lexus Corporate, and my be used by Lexus for their own marketing purposes.