When was the last time that after repossessing a vehicle you took action to make sure all the consumers’ personal information stored in it was deleted? If your answer isn’t ‘today’- then you likely need to revisit your privacy practices to keep up with current and evolving legislation and protect your business.
Emerging legislation zeroes in on repossessions
Regulators are increasingly focusing on consumer privacy in the automotive sector, and rightfully so- a modern vehicle is essentially a collection of computers on wheels. Vehicles commonly capture everything from phone records and text messages to garage door codes associated with their home address – and more recent vehicles store information about social media, photos taken, calendar entries, web browser histories, payment systems, and much more! When a vehicle is repossessed, the information from the current user isn’t deleted out of the system unless someone physically goes in and follows a series of vehicle specific procedures to delete it. And just like all other electronic devices your company owns that store unencrypted information about your customers, if you re-sell that vehicle without deleting the Personal Information of the previous user(s), you – as the legal owner of the vehicle, have a privacy and data security nightmare on your hands.
New legislation has emerged over the last year that aims to protect consumers. The impact, however, will be felt most by you, the lenders, as the responsibility to delete the information has shifted to your plate. Take, for example, Illinois Senate Bill SB800 which amended The Collateral Recovery Act and recently imposed new requirements for all repossessions performed within the State of Illinois.
The Act, which was signed by Governor Pritzker earlier this summer, will see the bill come into effect on January 1. This means that any regulated entity that has historically repossessed or may repossess in the future automobiles in the state of Illinois, has three months to meet the new compliance requirements and protection standards set by the law.
How you can protect your customers, and your business
Three months might not sound like a long time to implement new procedures, but if you do any business in the state of Illinois, these next twelve weeks will prove pivotal to establishing set guidelines for data deletion in your repossessions.
First, create a plan to ensure data is deleted immediately upon all repossessions. Reach out to your repossession agents or your forwarders, and make sure they understand the importance of deleting this data and the risks that exist if the data is not deleted properly. Make sure you make arrangements with them to ensure they can power the vehicles (i.e., agents must have a valid electronic key) to perform the operation, and that they keep good compliance records for each and every vehicle you repossess.
And if you’re not doing repossessions in the state of Illinois, don’t breathe a sigh of relief just yet. Illinois has proven to be a legislation leader when it comes to consumer privacy. What happens in Illinois tends to make its way to other states, and quickly under D.C.’s watchful eye, faster than you might think. Now is the time to act to protect your customers, and your business.