Why data protection is everyone’s job

The use of data is becoming more pervasive and complex in dealerships. Every employee needs to be vigilant in looking for threats— both inside and out.

Dealerships leverage data in every aspect of their business. Sensitive customer information is being stored in dealer management systems and customer relationship management systems, in finance and insurance (F&I), sales and service databases, and even shared with third-party providers. Failure to secure this data can leave your dealership vulnerable, and result in significant financial and reputational damage.

“The threat landscape is evolving and more active than ever,” said Adam Page, Chief Information Security Officer for Zurich North America. “Massive data breaches affecting millions of customers of big retailers and banks make headlines, but the majority of breaches happen to smaller companies.”

According to a recent report by RiskBased Security,¹ the first six months of 2019 have seen more than 3,800 publicly disclosed breaches that exposed approximately 4 billion records, an increase of 54% compared to the first six months of 2018. The report also revealed that the majority of breaches affect companies with 10,000 or fewer records, indicating that no business is too small to be on a cyber criminal's radar.

“Cybercriminals may consciously seek out smaller organizations instead of the Fortune 500s because they think the data will be less protected,” explained Nikki Ingram, a Zurich North America Cybersecurity Risk Engineer who works closely with dealerships to identify their data vulnerabilities. “Smaller companies can also be more susceptible to ransomware attacks, which is when a company’s computer system is blocked by a hacker until a sum of money is paid either due to lack of security controls or a backup strategy.”

Keeping up with data security and privacy regulations  

Dealerships collect and maintain a significant amount of personal information, including customer names, addresses, phone numbers, dates of birth, Social Security and driver’s license numbers, credit reports, credit card account numbers, financial account information, financing application data, and proprietary sales information. That’s why dealerships are subject to many of the same data security and privacy regulations required of banks and credit card companies.

The regulatory landscape on both the federal and state level is changing rapidly, and dealerships are facing more stringent security and privacy protection requirements. Some key regulations either proposed or already in effect include:

  • The Federal Trade Commission (FTC) proposes amendments to the Gramm-Leach-Bliley Act's Privacy Rule and Safeguards Rule, which will require more expansive cyber controls for financial institutions. Since car dealerships store consumer financial information, they are considered financial institutions, and would be required to comply if these new regulations go into effect.
  • The California Consumer Privacy Act, which went into effect on January 1, is one of the most sweeping pieces of consumer privacy legislation and is expected to influence more regulatory actions by other states.
  • The Fair and Accurate Credit Transactions Act's Red Flags rule requires dealerships to develop programs to detect the early warning signs of identity theft in day-to-day-operations.
  • The Payment Card Industry Data Security Standards were established by the major credit card brands to secure credit and debit card transactions against data theft and fraud. It’s crucial to stay compliant with these standards if your dealership accepts credit or debit cards for payment.
  • Some states, such as California, Massachusetts, and Oregon require dealers to train their employees in data security awareness. Connecticut, Florida, Maryland and impose only general requirements for reasonable safeguards.

“Regulations are going to continue to grow, and there is the potential for steep regulatory fines for dealers. Owners should continually examine their security protocols to avoid both legal consequences, as well as customer and revenue loss, if a breach does occur,” said Page.

DATA PROTECTION IS CRITICAL TO CUSTOMER PERCEPTION

84% PERCENT OF CAR BUYERS SAID THEY WOULD NOT RETURN TO A DEALERSHIP WHOSE DATA HAD BEEN BREACHED,and nearly a third lack confidence their personal data is being protected during vehicle purchase.

YET DEALERS ARE BEHIND ON ADOPTING BASIC PROTECTIONS:

70% OF DEALERS ARE NOT UP TO DATE ON THEIR ANTI-VIRUS SOFTWARE

leaving consumer data at risk of being exposed during a cyberattack.

SMALLER BUSINESSES LOSE MORE IN DATA BREACHES  

A data breach can hit businesses with less than 1,000 employees with disproportionately higher costs when compared to organizations with 25,000 or more employees.

This can make it more challenging for smaller businesses to recover financially from a data breach.

LARGER ORGANIZATIONS AVERAGED $5.1 MILLION, OR $204 PER EMPLOYEE SMALLER ORGANIZATIONS AVERAGED 2.65 MILLION, OR $3,533 PER EMPLOYEE.

EMPLOYEES ARE YOUR FIRST LINE OF DEFENSE AGAINST ATTACKS

For most companies, it's not a software program or firewall malfunction that leads to a data breach. It’s employee error that occurs across all departments in an organization. “That’s why one of the key strategies to minimize the risk of a data breach is to focus on training the people who use and collect customers’ personal information,“ explains Daryl Allegree, a Regional Risk Engineer and member of Zurich's Alternative Markets Risk Engineering team.

Employee errors can happen while handling data in the most basic ways, such as:  

  • Taping passwords to a computer terminal
  • Neglecting to lock a file cabinet containing sensitive customer information
  • Failing to shred paper or online copies of credit applications
  • Misplacing a mobile device and having it picked up by a “bad actor”
  • Opening emails from an unknown sender that instigates a phishing attack which results in a malware infection, theft of sensitive customer information, or fraudulent wire transfer
  • Approving an invoice submitted online from a cyber criminal posing as a vendor that results in thousands of dollars in lost funds

“One of the most basic levels of security starts by securing physical paperwork,” said Allegree. “I see dealers storing financial paperwork in boxes on shelves that are not locked or secured in any way. At minimum, shred financial paperwork that is no longer needed.” Current physical financial files, especially those found in the F&I office, should be kept in offices that are locked and accessible to only a few employees.  

While some of these errors can be innocent in nature, what is more damaging is when a disgruntled employee downloads customer data on a USB stick to sell to a competitor or cyberthief. “Unfortunately, internal employee threats are a very real problem, and if an employee is seeking revenge, they can do a lot of damage to a dealership and its data,” said Page.  

CREATING A CULTURE OF DATA SECURITY

Every organization's culture starts at the executive level. It’s the responsibility of the people at the top to establish an awareness of data security as a companywide priority, not just an IT priority. To do so, a member of the senior management team should be assigned to oversee development and maintenance of a cybersecurity program and company policy. This cybersecurity leader should consider creating a cross-functional team to monitor security awareness, education, and compliance throughout the organization.

“At the core of a cybersecurity program is employee training,” said Ingram. “Awareness training with employees has shown to have very good return on investment, much more than some of the technology solutions which require ongoing management to keep effective.” She recommended educating employees on the current threats and attacks, and best practices on how to maintain the confidentiality, privacy, and security of sensitive customer data. A company’s cybersecurity policies and procedures should reviewed; if the policies are violated, employees should be made aware that disciplinary actions will be taken.  

Ingram recommends that training should be held at least annually. Cybercriminals are constantly adopting new tactics to breach data, and if your employees aren’t aware of the latest methods, attacks can go undetected for months within an organization and create widespread damage. If your dealership experiences frequent staff turnover, training should be integrated as part of new employee onboarding.

Page recommends taking employees through specific attack scenarios to practice incident response capabilities where systems become unavailable, and how to spot phishing emails.  

REBOOTING YOUR CYBERSECURITY PLAN  

Considering how to best manage the latest cybersecurity threats along with the changing regulatory landscape may require reassessing your data risks and deciding what the best mitigation strategy should be.  

“It’s tempting to look for a quick-fix solution by hiring an external consultant or a full-time cybersecurity employee,” explained Allegree. But the most effective starting point for an objective third party with dealership and cyber security experience is to conduct a baseline risk assessment for the organization. If your dealership has a cybersecurity policy with Zurich, this assessment can be conducted at no cost by the insurance company’s risk engineers. The benefit of using risk engineers with dealership experience is that they understand the unique operations of vehicle sales, financing, and service, and where the likely data vulnerabilities could occur.  

Allegree emphasized the risk assessment should be conducted from multiple angles that address people, processes, and technology. Looking across all users of data (i.e., employees, contractors and vendors) to find the vulnerable points is critical to minimizing the risk of a data breach.  

“The assessment helps an organization determine what to prioritize when developing their cybersecurity strategy, and a six to 12 month roadmap to focus efforts moving forward,” Ingram said.  

Protecting your dealership has historically meant acquiring coverage for vehicle inventory, physical facilities, and business income loss. With the increasing amount of data handled by employees and the threat environment becoming more intense, a cybersecurity policy may become the additional protection your dealership needs to survive a data breach and its potential multimillion-dollar costs.

USING ARTIFICIAL INTELLIGENCE TO AUTOMATE SECURITY

Artificial intelligence (AI) is transforming marketing for dealerships (see article on p.12), but it also performs as an automated security solution. According to research by the Ponemon Institute, breach costs in organizations with fully deployed automation were 95 percent lower than those without.⁴ AI can identify threats early on, one of the factors leading to lower breach costs.

ADDITIONAL CYBERSECURITY RESOURCES

National Auto Dealers Association (NADA)

National Institue of Standards and Technology (NIST)

This article was originally published in Zurich NA's "Dealer Principle", Volume 2, Winter 2020.