HOT TOPICS

2016

MEMBERSHIP

DIRECTORY

129

critical to mitigating the breach and minimizing losses. Those steps should be laid out in advance in

your security breach response plan. That is why your plan should assign roles to breach team response

members in advance so each knows their precise responsibilities and the response team can be

immediately assembled.

Do not transmit customer information over insecure channels such as unencrypted email, P2P systems, or

wireless access points. These are not secure media. The FTC has cited the absence of data loss prevention

software and an intrusion detection system in these media as inadequate practices for an Information

Security Program.

Run an OFAC SDN List check on every customer, cash or credit. If you get a preliminary hit, follow the steps

listed by OFAC to determine whether the hit is a “false positive.” Do not do business with the customer

until you are certain that they are not the person listed on the SDN List. Keep a record of OFAC checks for

5 years.

Develop a risk-based Red Flags Identity Theft Prevention Program (“ITPP”) and implement it consistently

for all consumer credit customers and business credit customers that present identity theft risks. Use

your ITPP with every customer and document that you’re doing so. Choose red flags that are appropriate

to the size, location and activities of your dealership. If you sell vehicles over the Internet or to customers

who never physically come to your dealership, take enhanced steps to verify those customers’ identity.

Examine photo IDs, look at recent credit bureau activity, and use an electronic identity verification service

to compare customer information against databases of fraudulent activity and to assess the customer’s

given Social Security number. Identify any red flags in your ITPP that these actions reveal. If you cannot

readily resolve the red flags with the customer, use knowledge based authentication“challenge”or“out-

of-wallet”questions as well. One best practice to address a questionable Social Security number is to ask

the customer to access their Social Security earnings statement on their smartphone or a dealership PC.

This can be done at

http://www.ssa.gov/myaccount/.

Escalate problematic customers to your Program

Manager and continue to seek additional information or ask more out-of-wallet questions. Make sure

your ITPP program has a process for documenting your ITPP activities for each credit customer. Do

ongoing training and periodic testing of your ITPP. Refine and update your Program as new information

about identity theft comes to your attention. Don’t forget about holding an annual Program review for

participating employees and making an annual report to your Board of Directors and senior managers.

Educate your employees about the risks of identity theft and the three social networking attacks of

phishing (websites that are established to look like legitimate sites and emails claiming to be from

people you know or recognize); vishing (phone calls from identity thieves claiming to be from financial

institutions or other credible sources seeking personal information); and smishing (text messages on

mobile devices). As email spam filters have become more sophisticated, fraudsters have turned to other

socially engineering methods that prey on consumers’ trust. The common use of mobile devices makes

smishing an easy scheme. Tell employees not to click on any Internet link unless they are certain of the

legitimacy of the source. Emails purporting to be genuine from friends, law enforcement, or trusted

institutions contain links that unload malware onto the employee’s PC and network if clicked on.

6

7

8

9

10