February 06, 2018

Buying a Car? Here’s What Information Security Should Look Like in a Dealership

Last June security researchers discovered an exposed online database that contained the details of about 10 million vehicles that had been sold in the U.S. It turned out criminals were using the data including vehicle identification numbers (VIN) and personal details about the owners to clone VINs and make stolen cars appear legal.

The data breach was a huge wake up call for all auto dealerships who may have been thinking they were too small to be targeted.

But small and medium sized businesses (SMBs) like auto dealerships are targets – the 2017 State of SMB Cybersecurity Report from Ponemon reported that cyber attacks affected 61% of SMBs. When asked what information cyber attackers were most likely to target, 63% of respondents said customer records.

One online report suggested it can be easier to steal customer data from hundreds of auto dealerships than from one big organization due to lax security, a smaller trail, and individual dealers are less likely to do anything about the crime.

Auto dealerships collect a lot of personally identifiable information including credit applications, credit card numbers, Social Security numbers, and financing information.

Here is what effective data security strategies at an auto dealership should look like.

IT Safeguards: The Ponemon search has shown the most prevalent cyber attacks are phishing/social engineering and web-based. Safeguards should include firewalls, anti-virus and anti-malware software, spam filters, vulnerability scans, automated software updates, and data encryption tools.

Physical safeguards: A Clean Desk Policy helps keep the workplace decluttered and better protects confidential data. Access to the office area should be controlled, and there should be a surveillance system to protect computers, the dealer management system (DMS), phones, and other devices.

Security awareness: Experts say that most auto dealers are hacked because of employee error. The company should have a written data security policy and on-going training for all employees. Security awareness reminders in the workplace are helpful and help support a culture of security.

Data retention policyThe dealership should limit the collection, use and retention of confidential information to what is necessary to do business and to comply with regulatory retention of information.

Third-party regulations: Dealerships have to share confidential customer information with third parties such as insurance companies, consumer reporting companies, financial organizations, and vehicle manufacturers. To avoid data being lost or stolen, there should be a requirement for third-party companies to confirm their confidentiality and information security standards.

Compliance checklist: The dealership should be aware of all the different privacy laws and legislation that pertain. For example, under the Can-Spam Act, emails must be clearly identified as being from the dealership. The Red Flags Rule requires businesses to create an identity theft prevention program that detects ‘red flags’ of identity theft. Under the Gramm-Leach-Bliley Act, there must be a description of privacy policies and practices. The Disposal Rule stipulates that when a consumer report is no longer needed the paper file is immediately and securely shredded and/or the digital file is also destroyed. The dealership should partner with a document destruction company that provides paper and hard drive destruction services.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.