Meet Always Happy Rent-A-Car, an up-and-coming rental company that's purely fictional. Always Happy RAC has increased its online reservations' volume 33% in the past two years. The company has also introduced a customer loyalty program and used data mining techniques to overhaul its marketing initiatives.
As a result, the president of Always Happy RAC in January forecasted 15% profit growth for the coming year. But there's only one problem: A computer hacker 2,000 miles away has made the RAC's Web site the target of Structured Query Language (SQL) injection attacks. Though Always Happy's homepage assures customers that their transactions are secure, the truth is that the company doesn't store customers' personal data in an encrypted format. The hacker is able to access customers' credit card numbers and home addresses stored in unencrypted clear text.
After the hacker sells the customer data to an identity-theft crime ring, law enforcement officials eventually trace the problems to Always Happy. The company becomes yet another target -- of customer lawsuits and a Federal Trade Commission investigation.
Yes, this cautionary tale is fictional. But it's not that far-fetched. The Federal Trade Commission has filed a number of cases against companies that sell products and services online, charging them with making deceptive claims about how they store customers' personal information.
Car rental companies of all sizes are booking more rentals on their own Web site and requiring the transmission of personal information like home addresses, phone numbers and sometimes credit card numbers. But if your company stores this information on its own servers, you need to establish a security program designed to protect that data's confidentiality and integrity. You also need third-party audits and company-wide training about the importance of protecting customers' personal information.
"Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect," said Lydia Parnes, acting director of the FTC's Bureau of Consumer Protection, in a statement released to the press last November.
What spurred Parnes' statement? It was part of the FTC's announcement that it had settled a case against Petco Animal Supplies, in which the agency accused www.petco.com of security flaws. [PAGEBREAK]
The rise of identity theft, computer hacking and credit card fraud has triggered customer privacy standards for all online marketers, including car rental companies. These standards include 1999's Gramm-Leach-Bliley Act (GLB), various FTC rules and guidelines, and Visa's Cardholder Information Security Program (CISP). State and local governments, as well as financial institutions and insurance providers, can also set customer privacy guidelines. Third-party data security auditors might include some of their own guidelines, too, to qualify clients for certification.
In addition to data protection, these standards can involve disclosure about how a company uses customer data and tracks customer online activity. For example, what is your company's policy on the use of "cookies"? Do you use them to track patterns and trends in Web site visits? Do you share information about Web site visitors with other parties? Do you use advertising cookies sent by third-party Web servers? You may be required by law to disclose this information to consumers.
"A company's compliance requirements depend largely on the size of the operation; its types of transactions; where and how data is collected, shared and stored; and who can and who needs to access customer data," says Eric J. Peterson, director of product development for TSD Rental Management Software.
Peterson advises car rental operators to consult with their attorney, insurance provider and franchisor (if they have one) to learn what steps they need to take to ensure compliance on their end. One option is to outsource customer data storage to a third party like TSD. Through its ISP service, TSD can store a company's customer data on TSD servers at the company’s data center.
For independents and franchisees in particular, outsourcing can be a practical choice. Most of these operators would rather concentrate on their core business -- renting cars -- than to devote so many resources to meeting data security standards. Sensitive financial transactions can also be left to a third party that's certified as compliant.
"Compliance involves firewalls, encryption, the layering of network infrastructure -- concerns that some car rental companies don't want to worry about," Peterson explains. "Keeping the Internet a safe place is a 24/7 effort. You need lots of what we like to call fences -- and many layers of authentication -- before the data can be accessed."
Rental companies such as Hertz Local Edition, Avis, Budget, Thrifty, U-Save and hundreds of independent rental businesses use TSD's secure technology to safeguard data transmissions among their rental locations, insurance companies, GDSes, Internet channel Web sites and customers.
Companies wishing to keep customer data storage in-house, however, have the option of hiring a data security specialist, such as TruSecure, to conduct data security audits and help develop a comprehensive data security plan.
Compliance with FTC standards, the Gramm-Leach-Bliley Act (also known as the Financial Modernization Act of 1999) and Visa's CISP program is crucial for today's car rental operators. But even if your company chooses to store sensitive customer data off-site on secure third-party servers, it's important to develop a security plan for your company. That means defining clear and documented procedures to protect customers' personal data, Peterson says.
All employees need to be educated about the importance of safeguarding privileged customer information. Your company's security policy needs to be highlighted in the employee handbook and in training materials.
What's more, managers should restrict employee access to sensitive customer data, Peterson says. Managing data security should be allocated to a specific staff member, and security measures should be tested and reevaluated on a regular basis.