Part 2: Data Risks Are Real – A Conversation With Dealertrack

Part 2 of a 3 part series on data security in dealerships and the automotive industry. Here’s Part 1 in case you missed it.

Data security is not top of mind for most dealership professionals, but could be the most serious risk dealers face today. DrivingSales met with Randy Henrick, associate general counsel, regulatory & compliance, at Dealertrack to discuss data risks that are impacting dealers and the serious threats that many are ignoring.

Georgia Dealer Goes out of Business After a Data Breach

Few dealers would list data security as a top threat for the business. However, hackers are already targeting dealers and there are instances of real impact to their business.

Henrick references an incident in 2012 when Franklin’s Budget Car Sales was successfully targeted by a hacker that downloaded sensitive information of 95,000 people. The Georgia based company had an FTC complaint filed and within a year was out of business.

“The data breach didn’t happen at the dealership, it happened at the dealer’s home,” Henrick said. “The FTC alleged that a P2P (Peer-to-Peer) application was installed on a computer that was connected to the company’s network. According to the complaint, the company’s failure to implement reasonable security measures allowed sensitive financial information about 95,000 people to be shared by the P2P software.”

“It appears the dealership never fully recovered and went out of business, although the dealership is now reopened under new management. This outcome is common as most business only last six months after facing a data breach followed by an FTC enforcement action.”

Leading Cause of Data Breaches Is Employee Negligence

The perception that hackers are busy attacking firewalls directly through broad technical approaches is incorrect. Most data is accessed through seemingly innocent acts done by employees that leave the door open for data to be downloaded.

Unsecure passwords, clicks on suspicious emails, relaxed processes for paper files and employees downloading programs to computers are the largest threats. These acts are preventable, but happen on a daily basis because of the lack of training.

“I’ve heard data security compared to a turtle; it is hard to get in, but once you are in you can do a lot of damage. That damage can be avoided with proper training and monitoring,” said Henrick.

Dealers can limit access to data, create in-depth security processes and Internet access to only approved sites, but the without proper staff training data is still at risk. Dealership employees should understand where threats are and what part they play in keeping data secure.

Limiting Access Decreases Risk

Henrick recommends only allowing just enough access to staff so they can do their jobs. Every employee access point increases the chances of a data breach. Dealer staff members need data to do their jobs, but not everyone should have complete access.

Restricting access to sensitive customer information by managed permissions provides a first level defense. Information such as addresses, social security numbers, dates of birth, drivers’ license numbers and other sensitive information should only be accessible by a very limited group inside a dealership.

Henrick recommends, “Only collect the data you need. Don’t keep information longer than you need. Limit access to only the information an employee needs to do their job.”

Monitoring Data

Easily accessible data allows for more flexibility for when, where and who can view information. However, unmonitored flow of data is a liability that can be detrimental to the dealer’s operation.

“Often hacks can go for a long time and people will not know anything about it. Dealers need to monitor who is accessing their data and what they are accessing,” said Henrick. The monitoring needs to include remote accesses of data, vendors and employees. “If there is an increase in the amount of data or how often the data is accessed that is a red flag.”

Data Security Recommendations

Henrick strongly recommends dealers follow the recommendations from the FTC found at Start with Security: A Guide for Business. This site gives recommendations of actions businesses should take to protect against data preaches.

Dealers should have a plan in place on how to face a data breach. This plan should also define assignments as to who is in charge of data security and communication plans.

“Dealers need to have security incident plan and it needs to be tested with a mock drill. It is important to find vulnerabilities and fix them,” said Henrick. “What I see is most dealers don’t have a data security policy. Data security has to become a priority at dealerships and dealer executives need to take the lead.”

Data access will continue to increase. Information flow is a convenience for the way dealers do business, but also creates serious threats that have been largely ignored to this point. Dealers must take data security seriously or could face penalties that are fatal to their business.