A data security breach is any dealership’s worst nightmare. Consumer information is the currency of the Internet age and whether you are hacked electronically or paper files are compromised, you are facing a potentially huge liability. Legal; forensics; systems or process fixes; notices to affected consumers; press and PR; notices to regulators; diversion of resources; fines and penalties; class action lawsuits; loss of customer good will, just to name a few potential consequences. An identity theft think tank, the Ponemon Institute, calculated the “all-in” cost of a security breach in 2011 to be $214 per record compromised. The FTC entered into fifteen 20-year consent decrees with companies last year for poor data security. The risk is real and it is truly the biggest financial liability your dealership potentially faces.
It is more important now than ever that your Safeguards Program be up to date and you take steps to protect consumer information in both paper and electronic form. Here are some best practices to do so as well as requirements from the FTC for compliant Safeguards programs:
- Limit access permissions to consumer information. Who at your dealership really needs access to customer information and how much access do they need?
- Keep log events of every time an employee accesses a consumer file, whether in paper or electronic form. Watch for spikes in employees’ activity. Identity theft rings pay dealer employees to compromise information and if you monitor activity patterns, you may be able to stop or limit it.
- Disable the ability to download from your PCs customer information to portable media such as USB drives, external hard drives, or other remote devices. Better yet, put your customer information on a secure server and make PCs “read only.” Lock up all your paper files and make a trusted employee the “gatekeeper” who logs files in and out.
- Have a security breach response plan in your Safeguards Program. The FTC requires this and time will be critical in the aftermath of a breach to identify the problem, fix it, and take appropriate response measures. Test the plan by doing mock drills. If the unthinkable happens, you don’t want to be responding on the fly.
- Train your employees continuously. Every new employee should be trained immediately and employees should be retrained well more often than once per year. Only by creating a culture of data security in your dealership will you be able to effectively implement your Safeguards program. Build safeguarding of data into your compensation plans.
- Institute a clean desk policy and don’t leave any consumer information in plain sight where it can be taken or even photographed with a cell phone. Manage customer information securely from the moment you receive it until the moment you securely dispose of it.
- Have security professionals do periodic “stress tests” on your systems. Keep anti-virus, anti-malware and firewall software up to date at all times. Limit Internet sites that your employees can visit as many contain malware. Also make sure employees understand not to click on links in emails from unknown persons or phishing emails (emails that appear to be from a trusted source but are not if you look more closely).
- Have employees use complex passwords (letters, numbers and characters) and change passwords at least once every 60 days. Don’t share passwords or leave them written on Post-It notes or other papers.
- Wipe the hard drives of digital copiers, fax machines and PCs before disposing or trading them in. All data, even deleted data, is kept on their hard drive. Software to wipe hard drives is commercially available.
These are just some of the items the FTC has cited in their consent decrees which are all fairly reasonable to implement.
The head of the Federal Bureau of Investigation, Robert Mueller, struck an ominous note about the threat of digital attacks. “There are only two types of companies,” Mr. Mueller said in a recent speech at a security conference, “those that have been hacked and those that will be.” Smaller entities such as auto dealers are viewed as easier targets than large companies. That’s why it is important that you dedicate the time and resources to do a Safeguards upgrade now. As the holder of a treasure trove of consumer data, chances are you may be on some criminal’s radar screen.
Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc. This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.