Table of Contents Table of Contents
Previous Page  136 / 284 Next Page
Information
Show Menu
Previous Page 136 / 284 Next Page
Page Background

HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

121

Preserve and review files or programs that may reveal how the breach occurred.

If feasible and appropriate, bring in security and forensics professionals to help assess the breach as soon as

possible.

Preassign responsibilities under the incident response program to specific individuals at the dealership so a

response team can be quickly assembled and begin to take action immediately.

Consider notifying consumers, law enforcement, and/or businesses in the event of a security breach:

Assess the state laws applicable to your business. Most states have laws that require consumer

notification. Your response program should include template letters for customers in all states and

territories.

Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach

has resulted in identity theft or related harm. Certain state laws require the Attorney General or other

state regulator to be notified or receive copies of notices that are sent to consumers.

Notify the credit bureaus and other businesses that may be affected by the breach.

Consider as a best practice offering consumers one to two years of credit monitoring or other identity

protection service at no charge. A number of states now require providing these services.

Don’t delay in sending the notices once you determine the nature and size of the breach and have taken

steps to correct it. Some state laws have tight timeframes for when notices to consumers and government

authorities must go out.

Test your response program periodically and make appropriate changes.

Consider obtaining cybersecurity insurance to cover costs of responding to a breach. Cybersecurity insurance

is available in forms to cover specific costs (e.g., costs to notify customers and provide credit monitoring, costs

of forensics and other consultants to identify and contain the breach) and is affordable based on the extent of

coverage and policy deductibles.

Consumer information must be kept secure and confidential at all times and it is important to protect information

from the moment it is received until the moment it is securely destroyed. A study by Michigan State University

estimated that 51 percent of all security breaches occur in the workplace, so tracking and monitoring the activity

of dealership employees with respect to their access to customer information – in both printed and electronic

form – is very important. The FTC has cited a failure to monitor system logs as another deficient security practice.

Bring Your Own Device (BYOD) Risks

A critical issue is employees using their personal smartphones, tablets, and other personal devices to access

nonpublic personal information of consumers through their employer networks. “BYOD” or “bring your own

device” has become the shorthand expression for use of personal devices for business purposes. The benefits of

BYOD often include reduced hardware costs for the company as well as greater employee satisfaction from using a

single portable device for workplace and personal use.

However, BYOD use adds another element of security risk that should be addressed in your Safeguards Program.

A comprehensive risk assessment should be conducted to assess whether employees are already using their own

1 131 132 133 134 135 136 137 138 139 140 141 142 284  FlippingBook