HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

122

devices for dealership business and accessing nonpublic personal information of consumers in doing so. The risk

assessment should identify the types of devices and security features available to select the best technical means

for program implementation, and develop the specific policies and procedures governing BYOD administration

and management. A good example is Multiple Device Management Software (MDMS) that controls all third-

party devices accessing your system and sends and receives information from the device securely. Lack of physical

control over the device should be high on the list for every dealership – the baseline assumption always is that

the device will be lost or stolen, or at the very least, accessible to unauthorized third parties. Placing tracking

devices on these devices if lost or stolen is a prudent security practice but may raise privacy concerns among

employees. Another good practice is to make it clear that intertwining business and personal communications on

one device creates a risk of personal information being exposed when parties are in litigation. A best practice is to

provide that the employer has the right and capability to wipe or erase all data remotely from any device used for

business purposes – and that means the device may be wiped entirely, including personal photos and contacts.

Dealerships also must consider various technical issues, which include the use of untrusted devices, wireless

networks, or applications; support for multiple mobile operating systems; installation of security patches and

software updates; and interaction with other systems for data synchronization and storage.

Consider the risks. The FTC entered into a consent decree with a dealer that encountered a breach of thousands of

consumers. The genesis of the breach was a P2P system installed on an employee’s home PC that the employee

used to access dealership customer nonpublic personal information and which thereby became available to other

users of the P2P network who were able to access the customer information as well. In 2014, hackers broke into a

national bank’s system through the personal

computer of an employee who was working from home. From there, the intruders reportedly were able to move

further throughout the network through the employee’s virtual-private-network connection. Vendors with access

to your customer information should be limited and monitored. A national retailer’s huge data security breach

occurred when a vendor using a compromised PC accessed the retailer’s systemwhich allowed a hacker to get into

the retailer’s system as well and create accounts and stealth utilities to steal data.

Employees may resist the implementation of security software and measures on their personal devices as well

as forced encryption of customer information in transit to and from the device and at rest on the device which

is a best practice. Dealerships also must detect and prevent “jail breaking” of the device where the employee

circumvents the organization’s security policies and measures, a practice that MDMS software can make more

difficult. Consider having the dealership provide remote devices to employees that you can centrally manage and

secure, subject to applicable state law.

FTC Consumer Report Information and Records Disposal Rule

The Disposal Rule requires persons who maintain or otherwise possess consumer report information for a business

purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized

access to or use of the information in connection with its disposal. For example, paper records should be cross-

shredded, burned, or pulverized so the consumer information cannot be read. Consumer information must also

be destroyed or erased from all electronic media so that the information cannot be read or reconstructed. For PCs,

copiers, smartphones, tablets, and fax machines, this means not only deleting the information but wiping the

hard drive clean, as deleted information can remain on the hard drives of these digital devices even if the data is