Do you know someone who was affected by the Equifax data breach? How about the Verifone hack or, the breach within the Internal Revenue Service (IRS)? According to the Identity Theft Resource Center® (ITRC) and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.
A study of more than 10,000 consumers by Gemalto, a data security firm, stated 70 percent of consumers would stop doing business with a company if it experienced a data breach. And, 69 percent feel businesses don’t take security of consumer data very seriously.
In retail automotive, dealers have been regulated on consumer privacy ever since the Gramm Leach Bliley Act was passed in 1999. Under Gramm-Leach Bliley, dealers are required to implement, and regularly audit, a written “Information Security Program,” to protect information about its customers. This is called the Safeguard Rule. However, in 1999, digital data breaches were not even a feasible consideration for most dealers.
To date, these “Information Security Programs” detailed how to physically secure private consumer data. It’s because of these programs that most F&I offices are locked, and F&I managers pay very close attention to make sure no private consumer information can be displayed on a desk or computer screen for anyone to see.
While these procedures are important, they now need to be augmented to incorporate every possible way a consumer data breach could occur. From a physical standpoint, this includes training the sales team on how to properly manage private consumer information, and holding them to the same standards as F&I professionals. For example, let’s say a salesperson made a copy of a driver’s license for a test drive and the consumer ended up leaving the dealership without purchasing. What does the sales person do with that photocopy? Do they just put it in their desk trash bin, or do they put it in a secure shredding bin? If they just put it in their desk trash bin, that data is not secure. Anyone could come and take that photocopy out of the trash.
This is the level of detail dealers need to take with their digital security as well. I recently had the pleasure of interviewing Trevor Lain, the Founder of LexAlign, a Public Benefit Corporation that creates online apps for compliance, on how compliance has evolved to incorporate digital assets. In the interview, which you can find here, Trevor outlined questions dealers need to ask themselves when it comes to securing private consumer information.
- Does my written “Information Security Program” include procedures for each department that handles private consumer data, both digitally and physically?
- Is that program based on my own security risk assessment?
- Have I identified all reasonably foreseeable risks that could result in unauthorized disclosure or compromise of my consumer data?
- Have I assessed the adequacy of the safeguards I have in place?
- Does my dealership have a designated person responsible for customer information security, and is that person an employee with the authority to implement the program?
- How am I overseeing service providers that might have access to, or take possession of, customer information?
- Do my agreements with my service providers require them to implement appropriate safeguards?
- What am I doing to protect customer information from the moment it is collected, all the way through to disposal?
- Does my dealership have sufficient training, oversight, and procedures for securing private consumer data?
A good example of digital security that many dealers are not aware of has to do with the copy machine. Once again, let’s say a sales person makes a copy of a driver’s license. The copier has electronic records of every piece of documentation that is scanned or copied on the machine. Is the hard drive on the copier encrypted, or protected by a passcode? Is it being wiped on a regular basis? What happens when the copier is put out to pasture? If the copier is leased, is there an agreement in place allowing the dealer to wipe or destroy the drive after the lease ends? If the copier is owned, are there written procedures in place to destroy the drive? These are the questions dealers need to answer for all their electronic records.
Now think of all the ways a Customer Relationship Management (CRM) program can be breached. From the physical standpoint, the customer records hosted on the CRM are actually stored on either a computer or server. How is that physical device itself secured from theft? If the information is stored on a computer, is that computer secured with a cable? If the information is stored on a server, is the server locked down into a rack or fixture? Who has keys or access? Consider how you can make sure that only people with legitimate needs have access to that device.
In the case of electronic exposure, are the records encrypted and protected by firewalls? Is a security software, like anti-malware or antivirus software installed? Are those programs configured to update automatically? Is there an employee with the authority to install patches, updates, and disseminate information on security risks for the dealership? These are some of the aspects of digital security of which dealers should be mindful.
Simply moving from a paper-only business model of the 80s and 90s to digital documentation has expanded the ways consumer data breaches can occur. This expansion will only increase in the coming years as dealers move to take better advantage of consumers’ digital buying habits. The best way to move forward in this digital era is to continually update your compliance procedures based on the ways you plan to move your business.
With more than 40 years of helping dealers navigate the myriad of regulations affecting the retail automotive space while maintaining profitability, EFG Companies knows how to help dealers assess their current compliance policies and prepare for the future. Contact us today to get started.