You’ve probably heard about the recent DealerBuilt breach involving sensitive customer information – it is, after all, big news that’s likely to have substantial consequences. The incident is so significant that it is leading not only to expected legal actions, but may also result in strengthening of compliance rules related to dealership data security practices as a whole. It’s not an exaggeration to say that the affects of this breach are likely to be felt across the automotive industry and will lead dealerships to reevaluate how safe their customers’ information really is. As a BHPH dealer, it’s imperative that you know what happened and what you should do to protect your business from a similar security breach.
According to an FTC complaint, hackers gained access to personal data that included names, birth dates, contact information, and social security numbers belonging to around 12.5 million auto sales customers and stole the personal information of over 69,000. No less than 130 dealerships were involved, and it’s possible employee data at those businesses may have been compromised as well. That alone would be bad enough for all involved, but the FTC has found that DealerBuilt was not following data security rules, making this a far more serious problem for the DMS company.
In fact, the FTC is viewing this DealerBuilt breach in part as a compliance issue. The FTC complaint claims that the company failed to comply with the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires a written security policy, proper information safety training for employees, and system monitoring. As a result, an employee of DealerBuilt failed to ensure a storage device had the proper secure configuration before connecting it, and the problem was not found or corrected over the subsequent 18 months. During that year and a half, the DMS company did not perform any of the penetration tests or vulnerability scans that might have otherwise flagged the weak point and prevented the breach. In fact, the problem wasn’t noticed until an angry dealership customer called demanding to know why their personal information had been made public on the web.
Needless to say, this has caused significant trouble for DealerBuilt. Part of a proposed settlement will prevent the company from storing, sharing, collecting, selling, or transferring customer data until it can show it has implemented required measures and is fully compliant with data security regulations. As a DMS company whose business relates specifically to collecting and storing such information, this could prove to be a heavy blow unless security issues are dealt with very quickly. Joe Simons, the Chairman of the FTC, stated that the settlement “imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight.”
Information released by the FTC hints that the organization may not stop there. Joe Simons, during his statement concerning the possible DealerBuilt breach settlement, spoke of “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.” This leaves dealerships to wonder whether he was merely commenting upon the recent improvements to the FTC or suggesting that stricter data security regulation may be eminent.
Either way, the DealerBuilt breach highlights the need for dealerships, DMS companies, and the like to ensure their own information security is not lacking. No one wants to become the next business to find themselves in DealerBuilt’s proverbial shoes, and it’s all too likely the FTC will be watching more closely than before. The question, of course, is how can you be sure your customers’ information is safe? With the complex and sometimes confusing compliance rules surrounding dealerships, how do you identify exactly what is and is not necessary or required?
One of the best things you can do to protect your BHPH dealership or industry vendor is to have a compliance checklist that includes data security compliance. According to the NIADA, information security points on this list should include: appointing a Privacy Officer who oversees all customer information and privacy concerns, understanding your obligations for both record retention and compliance under the Gramm-Leach-Bliley Act, building and enacting a plan to meet all of the aforementioned requirements, and training employees in properly handling sensitive data. There are, however, some other things you can consider that will help keep your customers’ data– and your company– safe.
Where employees are concerned, simply holding a training session is not enough. BHPH dealerships and other companies should have a written employee manual including data security policies that can be referenced any time. Your dealership should only keep the data you are required to keep along with only the data you really need. If you are currently using social security numbers as employee or customer IDs, change over to a different and more secure mode of identification. Data should never be transferred or sent in unencrypted formats. A written data destruction policy, including the wiping and reformatting of hard drives before disposal, should be kept and adhered to. Physical data should be locked up at all times and shredded before disposal, and regular security scans should be run to ensure digital information is safe. Only encrypted data should be downloaded to portable devices and portable media such as CDs should be destroyed before disposal. Finally, computers should always be secured using password protection, lock screens that are automatically engaged when screen savers run, regular software updates, and restrictions on computer usage to prevent accessing file sharing sites, etc.
The DealerBuilt breach serves as a warning to dealerships and automotive industry vendors everywhere that data security must be taken seriously. Failure to comply with regulations can lead to database hacks and huge legal problems. If your dealership has not yet adopted measures required by the FTC and the Gramm-Leach-Bliley Act, now is the time. By implementing a security compliance checklist including the information above, you can ensure that, whatever else happens, your business will not be involved in the next security scandal like the DealerBuilt breach. After all, an ounce of caution is indeed worth a pound of legal trouble.