142 / 266
HOT TOPICS
2016
MEMBERSHIP
DIRECTORY
127
i. Put procedures in place to keep your security current and address vulnerabilities that may arise
– Have a detailed security incident response program included in your Safeguards policy. Update
your security software and procedures on a regular basis.
j. Secure paper, physical media, and devices – Prevent NPI from being downloaded or copied onto
remote devices like USBs or external hard drives. View-only access to NPI on a segregated server is
a best practice.
Create a culture of security in your dealership and get senior management buy-in. Limit permissions
to access customer information to only those persons who need access to perform their jobs; require
passwords to contain letters, symbols and numbers and be changed frequently. Know the flow of
information that enters your system and monitor for any unusual data flows in or out. These may be
signs that a hacker has entered your system and is compromising security. Keep logs of who accesses
customer information and when they do so for both electronic and paper files. Train your employees on
the importance of safeguarding customer information. Do not leave credit apps or credit reports out in
the open or in unsecured file drawers. Consider using processes that can determine if your employees are
actually following the policies and procedures in your Information Security Program. Regularly review
access logs of the consumer information records and follow up promptly if you see any unusual spikes
in any employee or other user accessing customer files. Lock down files at night and on weekends and
implement a “clean desk” policy that requires all paper documents containing customer information to
be locked up when not in use. The FTC fined a dealer in Georgia $30,000 for having documents containing
customer information located in plain sight on a salesperson’s desk.
Create an Information Security Program that details how you safeguard and securely dispose of all your
consumer information. Include a detailed data security incident and security breach response plan in the
Information Security Program. Follow FTC guidelines for Information Security Programs and know your
state’s law on use, communication and display of Social Security numbers and consumer notification
requirements in the event of a data breach. Avoid storing consumer information longer than is necessary
or allowing access using widely-known simple passwords. Make sure your dealership’s Information
Security Program includes detailed provisions for the secure disposal of consumer information, both
paper and electronic. Train and re-train employees, perform stress tests to evaluate your systems
regularly and update provisions as required. Destroy hard drives and flash drives on computers, copiers,
fax machines and wireless devices using industry standard procedures before discarding them or trading
them in for replacements. Disable USB flash memory drives. Try to store customer information only in
secure central servers and preclude the ability to download it. Some states (for example, Massachusetts)
require that customer information contained on laptops, tablets, cell phones and other remote devices
must be encrypted. Massachusetts and Nevada also require personal information about residents
be encrypted in transmissions, which is a best practice in any event and required for credit card data
transmission.
Manage user permissions to give customer information access only to those employees and service
providers having a legitimate business need and give them only the permissions they need. More than
half of all identity theft originates in the workplace according to a recent study. In addition to negligently
making customer information available for theft by outsiders, employees can and do steal customer
information and sell it to identity thieves. So it is critical that you keep event access logs of those
persons who access your customer information in both paper and electronic files. Review the access logs
2
3
4