Auto dealerships are often under the misconception that they are too small to be targeted in a data breach, but the reality is dealerships – of every size – house highly sensitive confidential information from drivers’ licenses to insurance documents to payment receipts, which makes every dealership a target for information theft and data breaches. In fact, identity theft tied to auto loans and leases increased 43 percent in the last year, and the value of this type of fraud could be as high as $6 billion per year.
Just last June, security researchers discovered an exposed online database containing the details of about 10 million vehicles that had been sold in the U.S. It was later determined that criminals had been accessing the data, which included vehicle identification numbers and personal details about the owners, to clone VINs and make stolen cars appear legal. With 61 percent of small businesses, including auto dealerships, affected by cyber attacks in 2017, information security should be a top priority.
What’s more, dealerships are considered “financial institutions” because they store and collect customers’ financial information, which means dealerships have a regulatory responsibility to follow legislative guidelines established to protect against unauthorized access to the personal information of their customers. If the legal consequences aren’t enough to prompt auto dealerships to take a second look at their information security policies, the potential for steep regulatory fines, a loss of business reputation and thus, future customer and revenue losses should encourage dealers to reconsider existing information security protocols.
With 63 percent of security thefts identifying customer records as the most likely form of information to target, dealerships can take steps to ensure that their customers’ information, and thus their business reputation, is protected. To create a strong information security strategy, here are five aspects dealerships should consider:
Physical safeguards are just as important as IT safeguards
In light of recent cyber breaches, auto dealerships are increasingly investing in digital information security standards and frameworks – which is important! However, they often overlook the massive amounts of physical information produced inside a dealership office each day – which is all client information that’s created and documented offline – and the risks associated with having this type of information “out in the open” and vulnerable to theft. Identifying risk points of physical information throughout your dealership is the first step toward creating a more secure business. The most vulnerable physical information points often lie in unassuming places – think printers, messy desks, old storage bins and employee trash cans that are scattered and unattended throughout the office. These risk points are susceptible to outside theft and employee theft because they could contain documents (or even piles of documents) with sensitive client and company information. To prevent breaches or theft from these risky areas within your office, identify a document management process and timeframe that details how to securely organize physical documents for storage, retrieval and record-keeping. Key areas to include within the document management process:
- Determine a lifespan for physical documents, which allows managers to keep tabs on how sensitive materials are being handled within the dealership and ultimately mitigate the risk of a breach or theft.
- Keep documents in secure, locked filing cabinets.
- Shred all customer documents before tossing them – one employee casually dropping a sales receipt or credit application into the recycling bin can undo everything.
While implementing a document management process may seem like an obvious tactic, 37 percent of business leaders admit they don’t monitor how often employees store or remove confidential information in the office.
Knowledge is power
In addition to creating a secure document management plan, it’s also important to make information security an employee priority at all levels of the business. Up to 25 percent of information breaches are caused by employee error or negligence, and to limit mistakes, auto dealerships should have a documented data security policy in place and understood by all employees. Dealerships should hold ongoing employee training or check-ins to ensure both new and seasoned employees are up to speed on the dealerships’ current information security protocols. All employees – from salesmen, to support staff, to HR – should know how to identify, handle and dispose of confidential information, whether that information belongs to clients or the dealership itself.
Like most businesses that work with private and confidential information, dealers are heavily regulated and governed. Dealerships need to be aware of the different privacy laws and legislation that are designed to protect identities, financial data and personal privacy as they pertain to the business. For example, under the Gramm-Leach-Bliley Act, dealerships must provide clients and third-parties with a description of privacy policies and practices. The Disposal Rule also affects dealerships, stipulating that when a consumer report is no longer needed the paper file is immediately and securely shredded, or the digital file is destroyed. It’s important for dealers to be diligent about how these laws will affect their operations to ensure that they do not face legal consequences – or steep fines.
Dealerships often have to share confidential customer information with third party businesses, such as insurance companies and financial organizations, and it can’t be assumed that external partners have similar information security standards. To avoid the loss or theft of customer data as it’s being shared or sent to other businesses, it’s important to confirm the confidentiality and information security protocol of an external partner before sharing client information with them.
Dealerships also see various visitors come and go on a daily basis. With visual hacking on the rise, it’s important that employees are alert during business hours to monitor unusual activities, such as visitors taking photos in “high risk office areas.” Authorizing and escorting all visitors to the appropriate support staff, whether they are customers, service personnel, maintenance workers, or delivery people, should be a standard procedure for business.
Stay secure, shred it all
Shredding before you trash documents is one of the most secure ways to get rid of sensitive information. This type of document destruction eliminates the “what if?” and ensures that dealerships are securely disposing of unwanted papers and devices. Additionally, this type of document disposal may be required to comply with industry compliance standards and it’s best to establish protocols that safeguard confidential information in day-to-day operations.
At the end of the day, reputation is everything, especially in the auto industry when consumers have limitless options to choose from. Protecting your reputation means protecting your clients’ information through an all-encompassing information security strategy.
Author: Ann Nickolas
Ann Nickolas, Vice-President of Shred-it, oversees new business development and account management for customers in the commercial, healthcare, and government verticals. In her role, Ann helps businesses secure their confidential information with products and services, policies and training, that help protect them from the risks, fines, penalties, and loss of revenue that come with an information breach. With a history of senior leadership roles in respected global companies like Compass, Cintas and Coca-Cola, Ann is uniquely positioned to understand the specific information security and privacy challenges facing the hospitality industry.