Protection of Customer Information in a Post Equifax World
Steve Levine, Ignite Consulting Partners
I was driving down the highway recently and took special interest in a law firm billboard that appeared on my daily route. It was a bold advertisement that announced “We Handle Equifax Claims” along with a dastardly looking depiction of what a cyber-sleuth is supposed to look like, and the law firm contact information. As I’ve driven around town the past month, I’ve noticed several of these billboards popping up on major roads.
This advertising caught my attention for a variety of reasons. First, that kind of advertising is a major investment for a law firm to make, one that they must be confident will create rewards. Secondly, this law firm has about 15 offices around the state and handles a wide variety of matters from car wrecks, family law, business litigation and criminal law. While they handle consumer cases, they aren’t what I’d consider a consumer law boutique firm, so their investment is even more impressive, and the fact that their footprint is large means that this has statewide implications. Thirdly, it confirms my belief that the Equifax breach called a lot of attention to information security practices for the industry as a whole and the sharks smell blood in the water.
Unfortunately, protection of customer information is an area where lots of BHPH and independent dealers’ compliance efforts’ fall short. While many dealers are aware that they must safeguard customer information, they aren’t sure where the obligation comes from, haven’t taken it seriously, and certainly don’t have adequate written policies and training to have confidence that their customer information is protected. This is my opinion, and it certainly doesn’t apply to all dealers, but it holds true for a great many.
The FTC Privacy Rule
The obligation to safeguard confidential information comes from the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule, which generally applies to any dealership that extends credit in connection with a vehicle purchase or helps arrange financing. Simply put, BHPH and other independent dealers, that means you! All personal information you collect from the customer is covered by the Privacy Rule, even if it’s simple information like name, address, phone number and other information that can be used to identify a customer.
Confront the Facts and Evaluate your Business
So what’s a dealer to do? The first step is to admit there is a problem! Honestly evaluate your business and see what controls are in place. At Ignite Consulting we’ve worked with several dealers on this topic and we find it beneficial to start by separating the analysis into two parts, physical location and network security.
The first step when studying physical security is to ask what kind of access does the public and other invitees have to the dealership’s physical location? Do employees take steps to protect customer information by locking it up, or is it left haphazardly on desks, copy machines, and even the receptionist’s desk? I recently saw each of these issues first hand when I was shopping for a vehicle at a new car franchise. Is there a clean desk policy and are employees disciplined for violations? If customer information isn’t kept securely then the dealership is at risk.
Network Security and the Four “P’s”
On the network side of things, we preach considering the four “P’s”: perimeter, people, policies, and patching. By “perimeter”, we mean who has access to the business network? Is remote access allowed so that employees can access company data while away from the office? Is there an adequate firewall? How is WIFI access managed? Are their encryption rules?
“People” means your employees. What devices are they provided and what information is allowed to be stored? Are there policies about thumb drives, camera phones, and what company information can be emailed with and without encryption? Are there rules about changing of passwords and sharing of passwords? Are employees taught how to identify “spoofing”, “fishing”, “malware” attacks and other tools of the cyber-criminal?
“Policies” turns attention to written policies that are in place to help manage the business and cover a wide range of activities. Employees need to be trained on both cybersecurity principles and physical security at the dealership. These encompass everything from access to computers, use of devices such as thumb drives, what can be stored on a laptop, and how to dispose of things like copy machines. At Ignite, we have created 20 different policies related to protection of customer information covering things like password, encryption, retention, anti-malware, and numerous other policies, though most dealers may only need a handful depending on their business and practices.
Finally, “Patching” refers to keeping all software updated so that vulnerabilities to the system cannot be exploited. Dealerships use a lot of software to run their business and as the software makers discover vulnerabilities they send out patches, such as when an employee receives an email providing notice that Adobe or Flash needs to be updated; however, lots of people just ignore these emails and never update. This is a common weakness that cyber-creeps then attack. In fact, the Equifax breach is thought to be the result of a failure to patch. Dealerships should regularly do a vulnerability scan and audit to keep track of needed updates.
The type of self-scrutiny isn’t optional. It is necessary to protect your business from hackers, malware attacks that will destroy data, and ransom-ware attacks that expose a customer’s personal information and leave the dealership open to legal attack. These attacks really do happen to car dealers and the result can be a “best the business” maelstrom.
Many dealers don’t have internal technology resources that are familiar with information security best practices. Personnel performing help desk services may not possess the skillset needed. Also, we’ve found that many dealers make the mistake of pushing this to the bottom of the “compliance” pile because of a shortage of resources and uncertainty on how to begin. Hopefully, this article will alleviate some of those concerns.
Dealers have been under the obligation to protect a customer’s personal information for many years; however, up until recently there hasn’t been a rash of headline grabbing cases challenging these practices. The Equifax security breach has directed a lot of media and regulator attention to potential consumer claims and plaintiffs’ lawyers are showing increased interest. It’s imperative that dealers study their policies, procedures and training with renewed vigor.
Steve Levine is Chief Legal and Compliance Officer of Ignite Consulting Partners, which offers compliance, technology and many other services to the car finance industry. Please contact sales@IgniteCP.com to learn more about how its cyber security programs can protect your business. Please follow Steve on Twitter @LawyerLevine.