144 / 284
HOT TOPICS
2017
MEMBERSHIP
DIRECTORY
129
issue of standing (ability to sue) to assert data breach claims. The case will mean that dealers and other companies
that incur a security breach will have to contend with more lawsuits after security breaches. The Seventh Circuit
determined that the breach victims “should not have to wait until hackers commit identity theft or credit card
fraud in order to give the class standing, because there is an ‘objective reasonable likelihood’ that such an injury
will occur”. If a victim has standing as the Seventh Circuit ruled, claims for negligence, breach of contract, and
UDAP violations could be asserted. Statutory as well as actual damages could be available along with recovery of
the victim plaintiffs’attorney’s fees.
RECOMMENDED PRACTICES
1. Create a culture of security at your dealership and get senior management buy-in.
Limit permissions
to access customer information to only those persons who need access to perform their jobs; require passwords
to contain letters, symbols, and numbers and be changed frequently. Know the flow of information that enters
your system and monitor for any unusual data flows in or out. These may be signs that a hacker has entered your
system and is compromising security. Keep logs of who accesses customer information and when they do so for
both electronic and paper files. Train your employees on the importance of safeguarding customer information. Do
not leave credit apps or credit reports out in the open or in unsecured file drawers. Consider using processes that
can determine if your employees are actually following the policies and procedures in your Information Security
Program. Regularly review access logs of the consumer information records and follow up promptly if you see any
unusual spikes in any employee or other user accessing customer files. Lock down files at night and on weekends,
and implement a “clean desk” policy that requires all paper documents containing customer information to be
locked up when not in use.
2. Put into place an Information Security Program that details how you safeguard and securely
dispose of all your consumer information.
Include a detailed data security incident and security breach
response plan in the Information Security Program. Follow FTC guidelines for Information Security Programs and
know your state’s law on use, communication, and display of Social Security numbers and consumer notification
requirements in the event of a data breach. Avoid storing consumer information longer than is necessary or allowing
access using widely known simple passwords. Make sure your dealership’s Information Security Program includes
detailed provisions for the secure disposal of consumer information, both paper and electronic. Train and re-train
employees, perform stress tests to evaluate your systems regularly, and update provisions as required. Destroy
hard drives and flash drives on computers, copiers, fax machines, and wireless devices using industry standard
procedures before discarding them or trading them in for replacements. Disable USB flash memory drives. Try to
store customer information only in secure central servers and preclude the ability to download it. Some states (for
example, Massachusetts) require that customer information contained on laptops, tablets, cell phones, and other
remote devices must be encrypted. Massachusetts and Nevada also require personal information about residents
be encrypted in transmissions, which is a best practice in any event and required for credit card data transmission.
3. Manage user permissions to give customer information access only to those employees and
service providers having a legitimate business need.
More than half of all identity theft originates in the
workplace according to a recent study. In addition to negligently making customer information available for theft
by outsiders, employees can and do steal customer information and sell it to identity thieves. So it is critical that
you keep event access logs of those persons who access your customer information in both paper and electronic