Vision Dealer Solutions’ Compliance Summary for FTC GLBA Safeguards Rule
The GLBA Safeguards Rule Update requires the implementation of safeguards to ensure the security and confidentiality of nonpublic personal information (NPI).
Dealers must comply with the Safeguards Rule and should oversee their service providers to ensure the safety of customer data. As a service provider and to support compliance with the Rule, Vision Dealer Solutions DBA (VisionMenu, Inc.) has implemented administrative, technical, and physical safeguards as a part of our comprehensive Information Technology (IT) Security program.
Multi-Factor Authentication (MFA) – To coincide with the extended deadline provided by the FTC, MFA will be enabled for all Dealer accounts on 6/09/2023. Once implemented, you will be able to trust your device for 30 days after initial authentication. Dealers will have the option to modify the device trust settings period to a shorter/longer timeframe that meets their needs. If you would like MFA enabled sooner than 6/09/2023, please contact support@visionmenu.com and we will be happy to enable this for you.
See below for safeguards and controls pertaining to customer information.
Customer Information
GLBA Safeguards Rule (16 C.F.R. § 314.2) definition of “Customer Information”
“Customer Information” is defined as any nonpublic personal information collected by Dealer about its customers.
Safeguards and Controls
As per our Software License Agreement, we have written contractual statements addressing compliance with all Safeguards rules pertaining to NPI. See below from section 9 of our SLA:
“NON-PUBLIC PERSONAL INFORMATION. Licensee acknowledges that the sharing of non-public personal information, as defined by the Graham-Leach-Bliley Act, 16 CFR § 314 (the “Act”), poses certain notice requirements to consumers. If Licensee is subject to the Act, 4 it must provide notice to Licensor and identify any non-public personal information, as defined in the Act, that Licensee may from time to time deliver to Licensor. Licensor acknowledges that, from time to time, it may aggregate and store data from Licensee’s customers. Licensor warrants that Licensor does not disclose non-public personal information to third parties. In addition, Licensor represents to Licensee that Licensor presently maintains, and will continue to maintain and periodically test, the efficiency of security programs and measures designed to protect against the disclosure of non-public personal information of consumers. In addition, if Licensee shares nonpublic personal information of consumers with Licensor, Licensor agrees to use its best efforts to comply with the requirements of the Act, and Regulation P of the Health Insurance Portability and Accountability Act of 1996 (42 USC § 1320(d) through 1320(d)(8) (“Regulation P”) and will: (i) use its best efforts to keep confidential all non-public personal information received from Licensee in accordance with the requirements of the Act and Regulation P; (ii) use its best efforts to establish and maintain procedural safeguards to comply with the Act and Regulation P, if applicable; (iii) notify Licensee in the event of an unauthorized use or disclosure of non-public personal information that is caused by Licensor; (iv) return to Licensor any non-public personal information received by Licensor upon the written request of Licensee or destroy any such nonpublic personal information identified or requested by Licensee; and (v) maintain and periodically test all security programs and measures to help ensure that non-public personal information remains confidential in accordance with the Act.”
Vision Dealer Solutions DBA (VisionMenu, Inc.) will maintain Customer Information only for as long as necessary to provide services to active dealers.
Vision Dealer Solutions DBA (VisionMenu, Inc.) will delete all Customer Information related to Dealer on the 1st day after the 1st full month after termination of services.
Vision Dealer Solutions DBA (VisionMenu, Inc.) maintains compliance with, all local, state, and federal legal requirements regarding the required administrative, technical, and physical safeguards under those laws, and all applicable and appropriate industry standards with respect to the privacy and security of the Customer Information that it maintains, processes, obtains, or otherwise has access to
Vision Dealer Solutions DBA (VisionMenu, Inc.) will protect and secure any Customer Information that it maintains, processes, obtains, or otherwise has access to as required under all applicable local, state, and federal privacy data and security laws and regulations.
Risk Assessments
As a part of its Safeguard’s program, Vision Dealer Solutions DBA (VisionMenu, Inc.) will perform an annual risk assessment. This risk assessment will identify reasonably foreseeable internal and external risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of customer information. It will also assess the sufficiency of any safeguards in place to control those risks.