Data breaches and hacker access to confidential customer information is a growing fact of life. And not just for the Targets and Home Depots of the world. Your dealership and customer information could be at risk if you do not have data security processes in place.
According to Symantec and Experian, three out of five data attacks target small to mid-size businesses and 60 percent of small companies go out of business within six months of a data breach. A breach of your customer information is your biggest financial risk as it threatens your very livelihood. According to one study, the “all-in” average cost of a data breach in 2015 was $201 per record compromised (Ponemon Institute). For a breach that compromised thousands or tens of thousands of customers’ information, well you can do the math.
No one can assure you that you will never be breached. And the FTC will not bring an enforcement action under the Safeguards Rule simply because you incur a breach. They will look at your Safeguards Program and the reasonableness of data security protections and response processes in your program. Let’s discuss some of what is likely to make your dealership a less attractive target and how to respond most effectively if you are breached, whether electronically or by loss or theft of paper deal jackets.
Anatomy of a Data Breach
Data breaches today tend to attack the users of your system as brute force attacks on the perimeter of your system are more difficult with increased firewalls, intrusion prevention systems, and anti-virus gateways. The easiest way for hackers to get in is to compromise endpoints–a user’s device– or steal their credentials. One way this is done is using phishing attacks. Phishing is sending an email that looks legitimate to the user which either requests the user to give credentials for “security purposes” or requests a user to click on a link which will bring them to a website that loads malware and viruses on their device and allows the hacker to get into your system.
Only one successful hacker attempt is necessary to do this. Thus people are your biggest data security risk. A well-trained employee is your best defense against potential data and cyber events. A poorly or untrained employee is your worst nightmare that can put you out of business. The FTC has indicated the importance of training everyone in your dealership—from the top down—on best data security practices and building a culture of data security at all levels.
Where is Your Customer Data?
It is also critical to know where your customer information is located and to audit all access to it. One of the main reasons organizations take so long to detect and remediate breaches is that they don’t know where the high-value or high-risk data is stored so they can’t target those systems for investigation. Audit logs will be among your best ways to identify any unusual activity, which you should immediately investigate. Map customer data as it flows through your system to get a baseline of what normal activity in your system looks like. Identify normal usage metrics. Then, when something deviates from the norm, look at it carefully to see if it is the sign of an intruder. Data loss prevention software is also critical to help maintain information from leaving your system. But monitoring for irregular activity is your best approach.
“A well-trained employee is your best defense against potential data and cyber events. “
Don’t forget about paper records. Put an officer in charge of giving and tracking access to deal jackets and other paper files and include that information with your audit logs to track individual user activity. If an employee’s activity spikes, find out why. And securely destroy all electronic and paper records when your data retention periods expire.
Tips for Protecting Your Dealership
- Never click on a link in an email unless you know the sender and have confirmed they sent the attachment.
- Use complex passwords and don’t reuse passwords. One way attackers get in is to obtain a password and launch a “password reuse attack” with the user’s name and password hitting multiple websites, including your system. Change your system passwords frequently.
- Users should not go to websites or download software that is not approved by your IT department. A dealer in Georgia had P2P (a direct person to person sharing service for things like movies, songs, and other content) software on a computer it used to log into the system. Doing so enabled persons on the P2P network to steal 96,000 customer names and protected information. That dealer was sued by the FTC and went out of business within a year.
- The other big risk for access to your system is using outdated software (like Windows XP or Windows 2003 which are no longer supported by Microsoft) and not immediately having your IT department patch software you are using as soon as the patches are released. One study found that 98 percent of security incidents studied involved companies that had not installed patches that were released over a year earlier (Verizon 2014). Using out-of-date operating systems or unpatched software makes your system significantly more vulnerable to attack.
- Limit permissions on customer information is an important issue to consider. The goal is to limit points of entry. Employ the “least privilege delegation policy.” Permissions should only be given to those persons who need it to do their jobs and their permissions should be limited to only the extent they need it. And don’t give users administrator privileges as, if compromised, these can enable hackers to move around your system easily and exploit it.
- Disable the ability to download customer information onto external devices such as PCs, smart phones, USB drives, and external hard drives. It is best if customer information can be limited to read only access and secured in a dedicated server that requires separate credentials and, if possible, two factor authentication. Two-factor authentication requires use of a randomly generated number from a token or application on a company-issued device such as a smartphone.
Establish a Security Incident Response Team
The FTC has emphasized the importance of including in your Safeguards Program a security incident response team and process for handling a breach in the event you are compromised. The team should consist of senior officers from business groups (IT, Legal, Security, PR, senior officers) and each should be assigned a role. If a security breach happens, multiple workflows will occur quickly and your team should be prepared. You should also have an outside law firm who can retain a forensics expert to be available within 24 hours as the first 48 hours are critical to mitigating the breach.
- Test your incident response team in connection with “white hat” hackers performing vulnerability assessments and penetration testing of your system, another requirement for a Safeguards program. Tabletop exercises will give the incident response team experience in working together and managing workflows. If social media or the public learns of a security breach, you will need specialized PR people and may need to hire a dedicated call center to handle customer calls. Don’t speculate until you learn all the facts. Just indicate you are investigating the incident, taking the matter seriously, and will take care of those affected by the incident.
- Another good practice is to establish a relationship with your local FBI office. Each office has cybersecurity specialists on staff who are willing to help you especially in the days immediately after you learn of the data breach. They can help you maintain evidence and perhaps help mitigate and contain the breach. They can also give you cover to delay sending consumer notices. States require affected consumers to be notified, sometimes in as little as 10 days from the breach. But a letter from law enforcement that they are investigating the matter can delay your obligation to give notices until you fully understand what took place and what steps you are prepared to take with affected individuals.
Expect a visit from the FTC or another regulator and be prepared to show you have systems and processes in place, and continually train your employees, to avoid behavior that can cause a data breach, how you implemented and practiced response programs with your security incident response teams and how you responded once you learned of the breach. Again, anyone can get breached. It happens. But by following the above practices, you can make yourself less susceptible and be better prepared if it happens. And if it does (or in the aftermath of a table top exercise with your security incident response team), do a post-mortem to see what you could have done better. Continually test and update your Safeguards Program accordingly.
Automotive dealerships are in a particularly difficult position because the nature of their business and the consumer information they possess makes them more likely as targets. Data in both paper and electronic format needs to be protected. Data security is more about people than technology and if you have not taken steps to protect your data or train your people, the time to start is now.
Randy Henrick is Associate General Counsel and lead Compliance Counsel for Dealertrack, a Cox Automotive brand. This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. This article represents Randy’s personal views and not those of his employer. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.
Author: Randy Henrick
Randy Henrick is Dealertrack’s Associate General Counsel for regulatory and compliance matters. He authors Dealertrack’s annual Compliance Guide and speaks at numerous industry and state association events throughout the year. He has more than 25 years of experience in banking and consumer financial services. Prior to Dealertrack, Randy served on the legal staffs of GE Capital, Citigroup, MasterCard International, and FleetBoston Financial. He lectures extensively to dealers on consumer credit, privacy, identity theft prevention, FACT Act regulations, and other compliance topics related to automotive retailing. He is an Adjunct Professor of Law at New York Law School where he teaches a course on U.S. Consumer Credit and Privacy Law, and is the former Chairman of the Consumer Financial Services Committee of the Business Law Section of the New York State Bar Association.