There is no shortage of headlines depicting the danger of unsecured data: Data breaches at big-name companies like Target, Sony Pictures, and Anthem Inc. have resulted in nearly 230 billion leaked records and a slew of legal actions. And these breeches weren’t anomalies.
Clearly, big data is no longer simply an asset. The liability associated with data has become clear as we have witnessed breeches across industries with ever-increasing frequency. With the immense fallout trailing each attack, worldwide attention is now being focused on data security, and regulators are starting to take notice.
In May 2014, the Federal Trade Commission (FTC) published a study examining the practices of several major data brokers — companies that collect consumers’ personal data and sell it, largely without the knowledge of those consumers. The regulator said in its report that it found a fundamental lack of transparency in the practices of these companies. So, why does this matter to you? Because the FTC listed dealerships as one of the sources from which data brokers acquire customer information.
So, with data security on the forefront of the public’s mind and attention being focused on our industry, will your data risk plan hold? Will your DMS and web application security thwart all outside attempts at invasion? When the rubber hits the pavement, will your business and clients be kept safe?
If you need to bolster your dealership’s data security plan, here’s an easy five-step process that will take you from where you are to where you want to be:
Step 1: Understand Applicable Laws
While the Gramm-Leach-Bliley Act is rather lengthy in its entirety, the most crucial component for dealers to understand is who it holds responsible for data breaches. Edith Ramirez, FTC chair, emphasized this point at a 2013 security forum, where she asserted that it was the regulator’s responsibility to hold companies accountable for safeguarding consumer data. Accordingly, you should ensure that at least one staff member is up-to-date on all applicable laws.
Step 2: Control Access
Currently, most dealerships allow vendors unlimited access to their data. This issue is exacerbated by a lack of monitoring of that vendor access.
To combat this growing problem, your dealership should generate a list of all usernames and passwords that grant access to your DMS and web-based applications, and then verify that all are tied to valid data recipients. This should include both external vendor and dealership employee login credentials assigned for each application deployed by your dealership. Additionally, make sure you have a process in place to promptly remove access from employees who have left your dealership.
Step 3: Dictate How Your Data Is Used
The National Automobile Dealers Association has recommended that all dealerships push DMS data to their vendors, rather than grant access to their DMS for data pulls. This seemingly small shift in how data is moved will empower dealerships with the knowledge of what data is being sent and where. The NADA’s recommendation also applies to any web-based applications, such as the dealership’s CRM, scheduling applications and other third-party sites used in a dealership, especially those that contain customer or transaction information.
Step 4: Have Binding Agreements in Place
It is best practice for dealerships to have pertinent agreements in place prior to any and all data movement. In addition to having a binding contract with each data-receiving vendor, be sure to understand each contract and what it enables a vendor to do with your data. You should also have agreements with all of your employees covering dealership policies of data access and use — including security policies and practices. The agreements should be reviewed annually.
Step 5: Reinforce Your Plan
No plan can sufficiently address all potential risks. Although your DMS providers, OEMs and web-based application vendors may offer forms of protection, they can lack dealer focus. Discuss your plan with a professional, independent, third-party consultant and ensure your dealership is covered by a cyber-liability insurance policy.
We can no longer remain complacent when it comes to our data security; the risk and cost are too great. Start planning today to reduce your dealership’s risk and exposure — your dealership and your clients are worth it.
David Nathanson is the head of the retail advisory practice division at motormindz, an automotive consultancy specializing in automotive manufacturing, retail, fleet, marketing communications and technology. Email him at [email protected].