Stop for a moment and consider the damage a thief might inflict if the data in your Dealer Management System (DMS) or Customer Relationship Management (CRM) were hacked or compromised. If you’re like most car dealers, a breach of customer or employee data isn’t on your radar.
Which is unfortunate, because an automotive dealership is a treasure trove when it comes to nonpublic personal information (NPI). The average deal jacket in a dealership contains everything a thief needs to clone or steal an identity.
Recent data breaches in the news illustrate the many challenges facing companies that have suffered cyberattacks. From rebuilding their reputations, customer relationships and the public’s trust to intensive dealings with federal regulators.
According to a 2016 survey, over 80 percent of consumers would not return to a dealership where their personal information was exposed in a data breach. Customers need to feel confident that their personal information is secure, and that the dealer takes the security of their identity – and NPI – seriously.
Protecting customer information isn’t new to the automotive industry. The Gramm-Leach-Bliley Act of 1999, the Privacy Rule of 2000, the Safeguards Rule of 2003, the Red Flags Rule of 2008, and so forth, all have to do with the dealer’s responsibility to protect consumers’ information. At a minimum, dealerships are required to have an ISP (Information Security Plan) and an ITPP (Identity Theft Prevention Program) in place.
The first steps toward compliance are to appoint a compliance officer and establish a compliance management system (CMS). But just having a CMS won’t automatically put your dealership “in the clear.” When it comes to protecting your customer and employee databases, the importance of having current and effective security standards can’t be over-emphasized.
Educating employees is also essential. It’s estimated that 85 percent of business data breaches are caused directly by an employee being duped by an outsider. Again, your dealership may have the necessary hardware and software in place, but a careless or clueless employee may be the biggest risk of all.
Of course, most IT professionals would recommend that dealers install antivirus and anti-malware programs to protect their network. But to stay safe, you can’t stop there.
Large companies have the ability to dedicate resources and people to monitor security and detect and respond to a data breach. Dealerships, however, are more vulnerable. They’re generally not equipped to identify that a breach has occurred in the first place, and they rarely understand how to respond once it’s discovered.
Of the 25 million medium-to-small businesses in the United States, only seven percent have a data security and response program. That leaves the remaining 93 percent at risk.
What are the chances your dealership’s data will be breached? To put it in perspective, I’ll use an example from nature. Those of us who live in Florida for any length of time understand that it’s not a matter of if our home will be invaded by termites, but when. It doesn’t matter how orderly, clean or well-built your house, you will at some point have to deal with this issue.
And so it is with a data breach. Especially for car dealerships, repositories of vast databases of consumer NPI. The primary problem is not that most car dealers don’t want to follow the rules. Rather, they don’t know how to – or don’t know what to do when the dealership’s been hacked.
Where data breach is concerned, there must exist good, clear communication from the top down. Dealerships must look at where they’re most vulnerable – and conduct a risk assessment. If they were hit with malware or ransomware, they need to investigate. How did it happen? Look at the data and ask, “How did they get in?”
Focus on root causes. Again, training employees to recognize and respond to attempts made to hack into data systems is paramount. It is critical to determine how something was able to side-step your safeguards in the first place.