The Threat Within: Internal Data Breaches and ID Theft

Automotive News recently reported that an Arizona dealer’s F&I Manager was involved in a fraud ring stealing the identities of dealership customers and sharing them with a criminal enterprise.  At least a dozen identity thefts were tied directly to the F&I Manager’s theft of non-public personal information from the dealership with more to come.  In a plea deal and in exchange for cooperating against the other fraudsters, he was sentenced to ten years in jail.  Presumably the dealership’s liabilities have only just begun.

The F&I Manager had a previous criminal history that had never been investigated by the dealership.  In fact, he had 17 felony convictions for crimes such as burglary, credit card theft, and drug violations.  Yet he was charismatic and a top producer at the dealership earning $200,000 or more annually before he was caught by the local police.

While this story may be somewhat extreme, it points out an important risk that you as a dealer need to protect against: employee misconduct and negligence in performing duties that can expose your dealership to significant liabilities. 

Answer the following as a start: Do you do background and criminal checks on employees you hire who will have access to customer information?  Are you cautious in giving permissions to consumer information to only those employees who absolutely need it to do their jobs?  Do you secure paper and electronic files and keep a log of which employees access customer information and when?  A sudden spike in an employee’s access to customer information (whether in paper deal jackets or electronic dealer databases) should be promptly addressed with the employee.  Do you disable permissions to dealership databases and DealerTrack when an employee leaves?  (In fact, it is a good idea to do so before the employee leaves).  Do you disable the ability to download customer files onto external hard drives, USB drives, and other memory devices?  Do you disable the emailing of customer files to external email?  Do you limit access to DealerTrack from trusted dealership IP addresses only?

Studies have shown that over 50% of data breaches originate from inside the dealership, either due to willful acts of disgruntled or disloyal employees or through negligence such as leaving credit applications, credit reports and deal jackets open and in plain sight.   Data security must be a top priority in your dealership and every employee must be held accountable.  Train and retrain your employees on securing active deal jackets and information from the moment it is received until you securely dispose of it under your Safeguards and Data Destruction policies.  Keep all paper deal jackets locked in a secure facility and appoint a trusted employee to be the “gatekeeper” who records the access of deal files by employees and their return.  Most electronic databases (including DealerTrack’s Activity Reports) give you the ability to track employee access to electronic files.  A great amount of information exists in the paper world as well and the copying or theft of paper files is as much a data breach as someone hacking into your CRM system or downloading customer information onto remote storage devices.  You need to be vigilant with both paper and electronic information.

The FTC has said that your Safeguards Program should include a Security Breach Response Plan in case your customer information is ever compromised.  Assign responsibilities, retain experts such as forensics specialists, and have a plan to take the necessary steps to contain, assess, and respond to the data breach.  46 states require that you send notices to their residents if their information is compromised and the laws are not consistent.  Federal legislation to adopt a uniform national data security notice failed in the U.S. Senate.

An identity-theft think tank, the Ponemon Institute, estimated the “all-in” cost of a data breach in 2011 to be $214 per record compromised.  This includes costs of legal, regulatory, forensics, accounting, PR, investigation, diversion of resources, loss of customer good will, and other tangible and intangible effects on your dealership.  It doesn’t take a great deal of compromised information to produce a huge liability.

Data security may be your dealership’s largest financial risk.  Make 2012 the year you take data security seriously and be proactive to protect and monitor both internal and external threats.   Run mock drills simulating electronic intruder attacks on your DMS and databases; do showroom walk-throughs at busy times to see how much customer information is in plain sight in fax bins, copiers and on desks; test your security incident response plan.  Use IT and forensics experts if necessary to help you do so.  And update your training and monitoring with the knowledge you gain.  It may be the best money you ever spend.

________

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.