145 / 284
HOT TOPICS
2017
MEMBERSHIP
DIRECTORY
130
files. Review the access logs regularly to monitor patterns of irregular activity by users. Set your system to prevent
downloading or file transfers of customer information to computers, USB memory sticks, PDAs, cell phones,
tablets, or other remote devices, and disable PC PSTs. If you have a credit application on your website, make sure it
is encrypted and begin safeguarding and tracking access to it from the time it is completed by the consumer and
securely transmitted to your dealership. Keep your antivirus, anti-malware, and firewall software up to date. If you
permit employees to use their own devices to access dealership information, do a risk assessment of BYOD issues
and see if it is feasible for your dealership to implement a policy to enable employees to use personal devices. If
so, employ MDMS software to manage the devices. If not feasible, cease their ability to do so and require that only
company-issued devices be used to access dealer databases and information.
4. Have an acceptable use policy.
Help control risk by adopting an “acceptable use” policy that ensures
employees are not sharing their device, are adhering to strong passwords, and that any corporate-owned data is
encrypted. Text messaging should also be discouraged as it is discoverable from the device in litigation and the use
of acronyms or shorthand often leads to misunderstandings.
5. Have a pre-established plan in place to deal with data security breaches.
The FTC has said that your
Information Security Programmust include a detailed incident and breach response and notice plan to execute in
the event of any security breach or database hack in which customer information is or may have been wrongfully
accessed, whether by internal or external persons. Pre-identify a team of people to manage the breach and
responses. The team should represent each department that might be affected by a breach or that has to be
mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications,
and, if you are publicly traded, investor relations. Part of the team’s role is to analyze risks to data, data flow, and
worst-case scenarios. Test your plan periodically by doing mock drills. Consult your attorney to know your state
law and the laws of your customers’ states of residence about when you have to give notices to customers about
data breaches.
6. Prepare template customer communications in advance and consider retaining a forensics expert
who can quickly capture and analyze your IT system to identify the source of an electronic breach
and mitigate further losses.
Consider channeling all third-party communications through only one person
for consistency. The steps you take in the first 48 hours after a data security breach may be the most critical to
mitigating the breach and minimizing losses. Those steps should be laid out in advance in your security breach
response plan. That is why your plan should assign roles to breach team response members in advance so each
knows their precise responsibilities and the response team can be immediately assembled.
7. Do not transmit customer information over insecure channels such as unencrypted email, P2P
systems, or wireless access points. These are not secure media.
The FTC has cited the absence of data loss
prevention software and an intrusion detection system in these media as inadequate practices for an Information
Security Program.
8. Run an OFAC SDN List check on every customer, cash or credit.
If you get a preliminary hit, follow the
steps listed by OFAC to determine whether the hit is a “false positive.”Do not do business with the customer until
you are certain that they are not the person listed on the SDN List. Keep a record of OFAC checks for five years.