By Monica Baumann, Scali Rasmussen
In recent weeks two data breaches have made headlines across the country, once again drawing attention to the need for businesses to take steps to safeguard customer data. Dealers have a legal obligation to safeguard their customer’s information under both federal and state law, in most jurisdictions.
These breaches may also increase the salience of data security issues for customers, meaning that your customers may start to ask questions about how you will protect their data and demand good answers. With the legal obligations aligning with customer expectations, now is the time more than ever to act.
The Equifax breach, which was first reported in 2017, exposed the data of an estimated 147 million consumers. The Federal Trade Commission reached a settlement with Equifax in July of 2019 that requires Equifax to offer those whose data was exposed either 10 years of free credit monitoring or a piece of a settlement that will range from $575 to $700 million dollars. Payouts are estimated to be about $125 per victim who chooses the financial payment.
Also in July, Capital One announced that it had discovered a data breach that impacts 100 million people who have accounts with or applied for credit with the company. Capital One has already announced that it will offer free credit monitoring to people affected by the breach and expects to incur between $100 and $150 million in costs related to the incident.
These two high profile security breaches highlight that security risks come from many directions. The Equifax breach, according to the FTC, was an outside hack perpetrated by criminals who took advantage of a vulnerability in website applications. In contrast, the Capital One hack was an inside job, as a former engineer with Amazon, which runs Capital One’s data servers, accessed the data before attempting to disseminate it online.
Dealerships are not as high-profile of targets as international companies like Equifax or Capital One, but they receive and store the same kinds of sensitive customer data and are therefore rich potential targets for criminals. The task of securing your business may seem daunting in the face of determined criminals, but relatively simple steps can make a material difference and will help limit your liability if your company does experience a data breach.
What steps can you take to better secure customer data at your dealership?
- Improve Password Protection
By now it is pretty standard to require passwords to access customer data. However, if these passwords are not strong or are not changed frequently, even requiring a password may not be enough. Implement policies that require a strong password. Most data experts recommend the following:
- Require at least 12 characters
- Require numbers, special characters, and both upper and lower case letters
- Ban use of real words or personal information, such as names or birthdates
In addition, require that your employees change their passwords at least every three months. This can be set up either automatically or by generating quarterly alerts to employees prompting them to change passwords.
- Limit Access
Not every member of your team needs access to customer data, and those that do will not need access at all times. Limit who can access customer data on a need to know basis. You should also consider adding extra layers of security for stored customer data, so that you may track and log access to this broader trove of data.
Data access by vendors should also be limited. In the past it was typical for outside vendors to “pull” customer data directly from dealership DMS systems. Over the last couple years, though, dealers have started insisting on “pushing data, as needed, to vendors. Review your agreements to determine how vendors are accessing your customer data and insist on changing to a “push” system if necessary.
- Pay Attention to Physical Security
While most data is stored electronically, dealerships typically will also receive customer data in paper applications and store copies of deal files that contain sensitive customer information. Files left on desks or stored in insecure locations may mean that the public or employees who should not have access to customer data can access that information without ever leaving a record of the access. Ensure that deal files and credit applications are not left on desks in public areas or stored in locations that are not secure. Ask managers to keep an eye out for insecure practices and to work with employees so they know what is expected of them.
- Document Your Efforts and Update Policies
Even the best safeguard efforts cannot prevent all data breaches, all the time. Two important aspects of limiting your liability are documenting your efforts to protect consumer privacy and maintain updated policies. Both are evidence of the reasonable efforts taken to prevent unauthorized disclosures of consumer data. In addition, dealerships are required to maintain updated policies under the Gramm Leach Bliley safeguarding rule.
- Train Employees
Human error is often the biggest data security vulnerability. Employees can inadvertently cause breaches by responding to phishing emails, leaving customer information in the open, or sending files to personal computers. Be sure to train your employees on what steps they must take to secure customer data and remind them on a periodic basis of the importance of following data security procedures. Also consider imposing penalties on employees who fail to adhere to your data security procedures.
Monica Baumann is Regulatory Counsel at Scali Rasmussen law firm. She can be reached at 1-916-449-9534 or mbaumann@scalilaw.com.