There are more than 3,000 federal and state laws and regulations prohibiting unauthorized dissemination or access to employee personally identifiable information (PII). This includes any information that can be used to identify, contact, or locate a single person, such as name, address, zip code, phone number, social security number, etc.

A company in possession of this information is legally required to safeguard the privacy of this data. However, employee privacy is sometimes inadvertently compromised with vehicle sales to other employees, remarketing in the wholesale market, accident-damaged vehicles sold as salvage, and “hostage” vehicles repossessed from disgruntled former employees. The reason this occurs is because the PII that was electronically captured by the out-of-service fleet vehicle is not deleted.

There are four areas where PII is electronically captured by a vehicle: a universal garage door opener, navigation system, a Bluetooth module, and telematics system. (While PII derived from a telematics device may not reside in a vehicle, it does reside elsewhere in a database. What are the safeguards to protect PII at these locations?)

Let’s examine each vulnerability.

Integrated Garage Door Opener: If a vehicle features an integrated remote that can be pair to your garage door opener and that data is not erased or reset, the new owner of that vehicle has the ability to gain entry to the employee’s home. Before reselling a vehicle, reset the integrated remote to the original factory setting. This information is found in the vehicle’s owner’s manual.

Navigation System: Every navigation system gives the option to program a home address. Just as you wouldn’t release an employee’s home address to an unauthorized third-party, why retain that same information in a vehicle’s navigation system?

Bluetooth: If a vehicle has hands-free calling via Bluetooth, some employees download phone contact list from cell phone into the vehicle’s onboard computer. If not deleted, this contact information is there for the next owner of the vehicle. Not only is a driver’s personal information at risk, but so too is company information. For healthcare companies, this data may include data on patients, which, if released, violates the Health Insurance Portability and Accountability Act (HIPAA), designed to protect a patient's protected health information (PHI), similar to PII.

These concerns have not escaped the attention of OEMs, some of whom are developing an option for future models to easily delete all PII from a vehicle. One scenario is to enter this information via the OBD II port, time-stamp it, and upload to a secure location or to an online remarketing site verifying PII was deleted.

It is important to remind employees to thoroughly check their vehicle prior to turn-in to remove all personal items. When company vehicles are resold to other employees or non-employees, there is the risk of PII information left in the vehicle, such as bank statements, credit card bills, prescriptions, documents that lists the driver’s home address, etc. This also applies to vehicles taken away from terminated employees. What is your company policy about removing all PII from a vehicle before it is reassigned to another employee or sent to auction? What about vehicles that have been in an accident and are declared salvage?

Based on one industry study, one-quarter of the used vehicles still have PII information in them that can be extracted and used for potentially malicious intent.

Privacy More Complicated for Multinationals

Data privacy laws enacted by the European Union (EU) restrict the extent to which U.S. fleet managers can manage data generated by subsidiary fleets in Europe. Known as the European Union Data Protection Directive, it has a direct bearing on U.S.-headquartered fleets, even though it is not law in the U.S. The Directive creates strict rules on the transfer of data concerning European Union employees (past or present) to companies headquartered outside the EU.

The “data” covered by the directive is information about EU employees that identifies the individual by name or other means. The Directive creates rights for employees about whom data is collected. Each of the 28 national governments comprising the EU is allowed to implement the directive in its own way. Entities that collect information must give EU employees notice explaining who is collecting the data, who will ultimately have access to it, and why the data is being collected. EU employees also have the right to access and correct data about themselves.

In the context of fleet management, this privacy protection involves a tremendous amount of personal data contained in MVR records, accident histories, drivers’ home addresses, phone numbers, names of spouses (if personal use is allowed), etc. Likewise, EU privacy laws inhibit the transfer of data about its citizens to third parties, such as fleet management companies. Under EU law, the data subject (driver) must be explicitly informed of these plans and given the chance to object.

When is the Employee Responsible?

The counterargument is at what point does a driver have to take responsibility of their own PII? This is an emerging legal issue for fleets that is already being played out in other industries, such as the financial industry. For instance, the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, is a federal law enacted to control how financial institutions deal with the private information of individual. This comes into play with repossessed vehicles, which, procedurally is not much different than repossessing a “hostage” company vehicle from a disgruntled employee. Many of these regulations are enforced by the Consumer Financial Protection Bureau (CFPB), which has been known to stretch the scope of who these regulations cover, especially in the automotive sector.

If someone gets unauthorized access to PII data from one of your company vehicles and uses it for nefarious purposes, does this put your company at risk? I’m not sure. But I am sure that some enterprising attorney will argue that it does.

Let me know what you think.

mike.antich@bobit.com