Auto dealers have historically allowed third party vendors access to their customer data for a variety of reasons. However, the days of giving blanket unlimited access should stop. Dealers could be held liable for privacy and security breaches.
In June, 2012 the Federal Trade Commission announced enforcement action against a dealership that allegedly failed to implement reasonable security measures over its customer data, which was compromised via a peer-to-peer network. See the press release on the Franklin Toyota/Scion case at http://www.ftc.gov/opa/2012/06/epn-franklin.shtm.
At a minimum, dealers should take the following steps to safeguard their data:
- Check with your dealer management software provider to determine who has access to customer data and to what data in particular.
- Get in touch with the third party vendors who have access to data.
- Find out exactly what information they need.
- Limit their access to the fields that they need. For example, Auto Trader™ only needs access to used vehicle inventory.
- Have all vendors for whom you allow access sign a data confidentiality agreement.
- Obtain a Service Organization Control (SOC) report if available to assess controls pertaining to the service provided by the third party.
- Review the Federal Trade Commission Guide at http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business and implement corrective procedures as necessary.
- Remove local administrative rights from employees’ work stations.
- Perform access reviews to determine that employees have appropriate access to information.
- Ensure adequate security on wireless systems. For example, the wireless network that is made available for customers in the customer lounge should not have access to sensitive customer data.
- Control security over employees’ own devices such as iPads, smartphones and flash drives. Sensitive customer data should never be downloaded to these portable devices.
- Implement a written information security plan.
- Ensure that employees are adequately trained.
- Implement enforcement measures to ensure compliance with the information security plan.
- Conduct security vulnerability and penetration testing over wireless and external network connections.
© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.