We all know that identity theft has been running rampant across the United States affecting many industries, including dealerships. Dealerships and other retail establishments are easy targets because they have lots of personal information about customers and a workforce that has direct access to it.
Today, identity theft has morphed from stealing physical data to stealing electronic data and using the Internet as a getaway car! Many dealerships are struggling with how to protect the electronic personal information of their customer from the thief that comes in through the Internet. It is overwhelming for most dealerships to grasp cyber-attacks and the devastating affects these attacks can have on dealerships.
In the mid-2000’s, we saw the increase of personal customer information at dealerships being stolen for the purpose of committing identify theft. The information was mostly in the form physical data, such as paper and back up tapes. A simple web search will net numerous examples like the ones below showcasing the creative ways physical data was stolen and used.
“A Nissan dealership in southwest recently had a finance manager commit fifty-two cases of identity theft within the store. The manager was substituting information from past customers with good credit for current customers with bad credit in order to secure financing for the current customers. The dealership incurred over a half million dollars in litigation costs associated with the theft.”
“A state government official was convicted of embezzling from a state retirement account. The individual had previously spent time in jail for fraud. After prison, the individual was hired by a dealership as a salesperson. While working as a salesperson, the individual secured a customer’s personal information to use as his own, and thus, obtained a job in government without the government office seeing his criminal history.”
So where do dealerships start in reducing the risk of cyber-attacks? Actually they already have. Remember the FTC Safeguard Rule? And, yes, it was focused on the physical data at dealerships. This 2003 Rule required auto dealerships to safeguard non-public customer information, and it gave the FTC the authority to impose fines upon dealerships for non-compliance with the maximum fine is $11,000 per day per occurrence.
Today, the FTC Safeguard Rule has expanded to include cybersecurity: protecting electronic data from Internet attacks, detecting Internet attacks, and reporting Internet attacks. The FTC is requiring dealerships to update their Safeguard Rule compliance requirements to include cybersecurity safeguards that will reduce a dealership’s risk of cyberattacks. This is not an easy task, but a necessary one. The fines and fees from state privacy laws, federal and industry regulations and class action suits dealership’s face for not protecting the personal information of their customers can put a dealership out of business.
The FTC has a dedicated section on its website that defines these safeguards and provides guidance. Complying with the cybersecurity requirements, will require subject matter expertise and resources that a dealership many not have. Today there are professional services organizations, such as accounting firms, law firms and consulting firms that have cybersecurity professionals that can help you navigate through the compliance.