Identity theft and data breaches continue to be a serious and ongoing issue for consumers and businesses.
In fact, according to the U.S. Department of Justice, “An estimated 17.6 million Americans — about 7% of U.S. residents age 16 or older — were victims of identity theft in 2014.” That includes the misuse of credit card data, as well as personal identity information. In terms of cost, Javelin Strategy & Research found that $15 billion was stolen in 2015 – bringing the total amount over the past six years to around $112 billion. Amid this environment, Small to Midsize Businesses (SMB) such as auto dealerships are perfect targets. You can protect your dealership by implementing a few common sense steps, and by encouraging your staff to follow best practice safeguards:
Tip #1: Acceptable Use
Help control risk by adopting an “acceptable use” policy that ensures employees are not sharing their device, are adhering to strong passwords, and that any corporate-owned data is encrypted. Text messaging should also be discouraged as it is discoverable from the device in litigation and the use of acronyms or shorthand often leads to misunderstandings.
Tip #2: Have a Plan
Have a pre-established plan in place to deal with data security breaches. The FTC has said that an Information Security Program must include a detailed incident and breach response and notice plan to execute in the event of any security breach or database hack in which customer information is or may have been wrongfully accessed, whether by internal or external persons. Pre-identify a team of people to manage the breach and responses. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and, if you are publicly traded, investor relations. Part of the team’s role is to analyze risks to data, data flow, and worst-case scenarios. Test your plan periodically by doing mock drills. Consult your attorney to know your state law and the laws of your customers’ states of residence about when you give notices to customers about data breaches.
Tip #4: Secure Transmission
Do not transmit customer information over insecure channels such as unencrypted email, P2P systems, or wireless access points. These are not secure media. The FTC has cited the absence of data loss prevention software and an intrusion detection system in these media as inadequate practices for an Information Security Program.