WHO CAN YOU TRUST TO PROTECT YOUR DATA?
By: Steve Levine, Chief Legal and Compliance Officer
Ignite Consulting Partners
In the past year I’ve spent a good deal of ink writing about both the importance of data security and the critical task of vendor selection. Unfortunately, those issues have once again collided, as it’s recently been reported that the fast food chain Wendy’s suffered a significant data breach which has resulted in inconvenience to lots of customers, bad press, and some class action lawsuits. What does a burger chain’s problems have to do with car dealers? No, I’m not comparing your inventory to chopped meat, but this subject has everything to do with your business because whether you’re selling cars or burgers, you’re likely accepting credit card payments and, therefore, you’re taking possession of and probably storing your customers’ personal information. In doing so you’re working with third party vendors, which apparently is the way that hackers were able to thwart Wendy’s data security protections and wrongfully obtain its customer information.
What Constitutes Good Data Security?
As I’ve previously published in these pages, good data security for independent car dealers involves a combination of buying and then implementing the right technology, having the right policies and procedures for employees to follow and then making sure that they do so, and having the right facility security such as clean desk policies, door locks and control of areas that contain customer information. This is a vast oversimplification, so if you want more detail on the in’s and out’s, please refer to my article entitled 3 Ways to Ignite Your Information Security Practices, which was published earlier this year in our March/April issue.
Even if you’ve implemented the many steps set forth in that article and your own house is in order, though, it may still in great jeopardy if you’re dealing with vendors that don’t share your commitment. Be aware that the Wendy’s matter isn’t the first time we’ve seen this fact pattern; the huge Target stores breach of 2015 also involved hackers accessing Target data through a vendor.
How to Prioritize your Vendor Scrutiny
While there is no full proof way to guard against a vendor’s security lapse leaving your data vulnerable, there are a lot of practices you can follow to weed out the less stringent vendors, thereby facilitating your selection of vendors that are up to speed on the risks involved and committed to security. Keep in mind that even though this article focuses on technology vendors, a vendor is anyone with whom you do business, which could include a wide range of service providers like those you use for mass mailing of letters, software providers, repossession companies, and a whole host of others, and these same practices can be utilized as part of a comprehensive vendor management strategy.
Not all vendors are created equal. Some, like a dealer management software supplier, provide crucial services that allow you to run the business, while others touch a much smaller aspect of the business. The costs and time involved in the vendor management program can be staggering, so some decisions have to be made as where to devote resources. A lot of this has to do with the size and complexity of the business, and a dealer with one location selling a few dozen cars a month doesn’t have to devote the same resources as a multi-location dealer selling hundreds.
So how does a dealer analyze the totality of its vendors and decide where to focus its resources? As a matter of simplicity, the important things to consider are:
a) Does the vendor has access to your customer data?
b) Does the vendor have access to your physical location?
c) Does the vendor provide key services or involve a significant financial commitment?
d) Does the vendor regularly have direct contact with your customers?
Those that fall into these categories present more of a risk to your business and should be subject to more scrutiny than others that don’t.
How to Select Vendors that are Serious about Data Protection
When it comes to development of a rigorous vendor selection process, consider these four steps:
Due Diligence is all about knowing the details of the company you are hiring. It involves finding out about the company itself, its owners, employees that will be providing services to you and your customers, and its history and reputation. Don’t simply go by claims it makes in a brochure or base a decision on one or two references they provide. Ask them for five or ten clients you can contact and then chose one or two. Investigate its record with any appropriate regulators and on social media, look into any lawsuits it has been involved in, and ask about how it protects the reputation of its clients. Study their policies and procedures to make sure they share your commitment to compliance, and take a look at their hiring policies and how they train and discipline their employees.
Vendor Contracts govern the relationship between the parties and are usually one-sided documents drafted by the vendor and then signed by the client without further thought. I’ve seen plenty of these contracts that go so far as to attempt to place liability on the dealer even if it’s the vendor that does something wrong. It’s critical that expert advice be sought to level the playing field and create a fair document that both parties can live by. Again, don’t be afraid to make the vendor warrant and represent the specific services that will be provided, set goals and standards, and include penalties for non-performance and even termination rights in the event of a vendor violation.
Audit Rights should be included in your vendor contracts, and dealers should then have a process in place to conduct these audits. Audits aren’t as scary as the word sounds. For less critical vendors, the process is simply keeping an eye on the points studied during due diligence to make sure the status quo is being maintained. Where appropriate, it may include tracking performance metrics and whether any service level agreement is being obeyed. Keep a keen eye on how customer complaints are communicated and handled. It’s important to develop a consistent process for audits, schedule them at least annually, and document your files.
Site Visits are important for those vendors that provide critical functions because they allow for insight into how business is really done. Don’t be shy about getting your hands dirty. For example, listen to phone calls for customer support or call center vendors, observe the actual people that touch your accounts, and sit in on training. Ask to see examples of employee discipline and compare how accounts are actually being handled to the representations made in the contract or service level agreement. Maybe even send a survey to customers that had dealings with the vendor. While site visits can be expensive and should be based on the size and complexity of the businesses involved, they are a handy tool to protect ones interests.
Don’t just dog-ear this page after reading it. The costs for a data breach can be staggering, ranging from fines and lawsuits to the costs of obeying all the legal requirements thrust upon a party that’s been breached, to damage to your reputation and loss of customer loyalty. While there is no “bullet-proof” remedy available, following these basic recommendations will assist you in building your vendor management program and allow you to control your business relationships and reduce your risk.
Finally, recognize the value of a paper trail and the importance of being able to demonstrate your efforts. Have written policies and procedures, develop a methodology for vendor selection, train your people, audit your vendors, and self-audit yourself to make sure you are meeting your own standards. By doing these things you’ll be able to prove you’re serious about compliance and hold those you do business with to the same goals.
Steve Levine is Chief Legal and Compliance Officer of Ignite Consulting Partner, which offers compliance, technology, and cyber security guidance to car dealers and finance companies. Its Vendor Management Manual contains adaptable policies, easy to use checklists and practical recommendations that will help businesses of all sizes. Please contact sales@IgniteConsultingPartners.com to learn more. You can follow Steve on Twitter @LawyerLevine for compliance and industry related content.