HOT TOPICS

2016

MEMBERSHIP

DIRECTORY

128

regularly to monitor patterns of irregular activity by users. Set your system to prevent downloading or

file transfers of customer information to computers, USB memory sticks, PDAs, cell phones, tablets, or

other remote devices, and disable PC PSTs. If you have a credit application on your website, make sure

it is encrypted and begin safeguarding and tracking access to it from the time it is completed by the

consumer and securely transmitted to your dealership. Keep your anti-virus, anti-malware, and firewall

software up to date. If you permit employees to use their own devices to access dealership information,

do a risk assessment of BYOD issues and see if it is feasible for your dealership to implement a policy to

enable employees to use personal devices. If so, employ MDM software to manage the devices. If not

feasible, cease their ability to do so and require that only company-issued devices be used to access

dealer databases and information.

BYOD policies present challenges for dealers. Dealers can go a long way towards controlling risk by:

1) ensuring that employees are adhering to strong passwords and are using the same security software

and rules that are dealership policy for other applications; 2) having an“acceptable use”policy that ensures

that employees are not sharing their device with other persons; prevents viewing inappropriate material;

and controls what applications are installed; and 3) encrypting any corporate-owned data that might

reside on the device. Text messaging should also be discouraged as it is discoverable from the device in

litigation and the use of acronyms or shorthands often leads to misunderstandings that can be potentially

damaging. Have a pre-established plan in place to deal with data security breaches. The FTC has said that

your Information Security Programmust include a detailed incident and breach response and notice plan to

execute in the event of any security breach or database hack in which customer information is or may have

beenwrong fully accessed, whether by internal or external persons. Pre-identify a teamof people tomanage

the breach and responses. The team should represent each department that might be affected by a breach

or that has to bemobilized to interact with the public, including legal, human resources, privacy, security, IT,

communications, and, if you are publicly traded, investor relations. Part of the team’s role is to analyze risks

to data, data flow, and worst-case scenarios. Test your plan periodically by doing mock drills. Consult your

attorney to know your state law and the laws of your customers’ states of residence about when you have

to give notices to customers about data breaches. Consumers have recently been more successful in claims

against retailers for not timely giving notice under state data security breach notice laws. For example, in a

case against Target based on its breach of credit card information, consumers filed cases under all 48 state

laws, some of which did not allow for private lawsuits. But other state laws were ambiguous—as was the

case in Colorado, Delaware, Iowa, Kansas, Michigan andWyoming—and the court permitted the plaintiffs’

cases to go forward. Where state laws were silent as to a private right under the security breach laws, the

court inferred a private right of action in all states except Rhode Island where if a law doesn’t give a private

right of action, it cannot be inferred. But as to all other states, the court agreed with the plaintiffs that there

is an implied right to sue under the data breach notification laws. In 2015, a California court ruled similarly

with respect to the Sony data security breach involving claims of negligence, breach of implied contract, and

statutory claims. Sony argued that the plaintiffs endured no current or threatened injury that is impending,

but the court rejected those arguments. The judge stated“The[se factual allegations] alone are sufficient to

establish a credible threat of real and immediate harm, or certainly impending injury.”

Prepare template customer communications in advance and consider retaining a forensics expert

who can quickly capture and analyze your IT system to identify the source of an electronic breach and

mitigate further losses. Consider channeling all third-party communications through only one person

for consistency. The steps you take in the first 48 hours after a data security breach may be the most

5