Safeguard Your Data - Third Party Access

Auto dealers have historically allowed third party vendors access to their customer data for a variety of reasons. However, the days of giving blanket unlimited access should stop. Dealers could be held liable for privacy and security breaches.

In June, 2012 the Federal Trade Commission announced enforcement action against a dealership that allegedly failed to implement reasonable security measures over its customer data, which was compromised via a peer-to-peer network. See the press release on the Franklin Toyota/Scion case at http://www.ftc.gov/opa/2012/06/epn-franklin.shtm.

At a minimum, dealers should take the following steps to safeguard their data:

  • Check with your dealer management software provider to determine who has access to customer data and to what data in particular.
  • Get in touch with the third party vendors who have access to data.
    • Find out exactly what information they need.
    • Limit their access to the fields that they need. For example, Auto Trader™ only needs access to used vehicle inventory.
    • Have all vendors for whom you allow access sign a data confidentiality agreement.
    • Obtain a Service Organization Control (SOC) report if available to assess controls pertaining to the service provided by the third party.
  • Review the Federal Trade Commission Guide at http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business and implement corrective procedures as necessary.
  • Remove local administrative rights from employees’ work stations.
  • Perform access reviews to determine that employees have appropriate access to information.
  • Ensure adequate security on wireless systems. For example, the wireless network that is made available for customers in the customer lounge should not have access to sensitive customer data.
  • Control security over employees’ own devices such as iPads, smartphones and flash drives. Sensitive customer data should never be downloaded to these portable devices.
  • Implement a written information security plan.
  • Ensure that employees are adequately trained.
  • Implement enforcement measures to ensure compliance with the information security plan.
  • Conduct security vulnerability and penetration testing over wireless and external network connections.

© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

our thoughts on

array(1) { [0]=> string(2) "18" }
Steel and Aluminum Tariffs: Winner and Losers
Application to Receive Funding for On-Road and Class 8 Fleet Vehicle Projects in Pennsylvania Now Available!
New Revenue Recognition Standard Will Impact Auto Dealers
Hello from the 2019 Auto Summit at the NADA Convention
Transportation and Logistics to Continue Strong, if Slower, Growth in 2019
Schneider Downs Sponsors the 2018 Pennsylvania Automotive Association Fall Conference

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062