What do you do in the aftermath of a “security event” – anything that results in unauthorized access to or misuse of an IT system and its contents? The answer to that question must be set forth in a written Incident Response Plan, and it must be accomplished before the security event occurs.
Your Incident Response Plan
Your Incident Response Plan should address the following:
First, when a breach is detected, take whatever steps are necessary to stop the breach and any potential data loss.
Second, notify appropriate law enforcement and – this is important – your dealership’s attorney. Many states have mandatory consumer notification requirements with time frames for such notification. You can’t afford to get this wrong, so call your lawyer.
Third, remediate the weaknesses and fix the vulnerabilities that allowed the security event to occur in the first place. Once that’s accomplished, run a full internal penetration test and a complete vulnerability assessment.
And fourth, notify all affected parties in a timely manner of what happened, what data was compromised, and what you’re doing about it.
NADA has produced an Incident Response Plan template in its Dealer Guide to the FTC Safeguards Rule – it’s an excellent place to start.