Information Leaks: Safeguards At Your Dealership

We've seen many high-profile data breaches in the last decade. Dealers may think they aren't targets for these kinds of data breaches, but this couldn't be further from the truth. Not only that, but the FTC requires that dealers protect the non-public personal information of their customers.

This video was originally published in March 2019.


Data Breaches: Start with Your Employees

When we talk about information leaks what we're really talking about is data hacks and that can be intentional or accidental. It's the intentional ones were really really worried about.


The greatest risk is not from outside your dealership, but inside, so if you're wondering how to best prevent data leaks—loss of data—start with your own employees.

Written Safeguards Policy

Begin with a written policy that employees are required to read. Employees should read this document when they are first hired and sign an acknowledgment that they read and understood the policy. This process should be repeated annually. Make sure there's no ambiguity. You take this seriously so your employees should as well. If you don't have a policy in place already or need help crafting one for your dealership Mosaic can help.


Safeguards Training

Second, you need training. You should train on the practical implications of your policy:

  • What are employees allowed to do with customer data?

  • What are employees not allowed to do with customer data?

  • What steps should each employee take to protect customer data based on their role at the dealership?

For example, some things employees are not allowed to do:

  • copy it

  • email it

  • take it out of the premises

  • use it for anything other than legitimate business purposes


Establish a Safeguards Program

Third, establish safeguards. There's a whole Safeguards Rule about that, but one item to focus on is the data security of your computer network. IT is key.


If you leave a deal jacket lying around, and it gets stolen, then you've lost one identity. If someone gains unauthorized access to your computer network, they could potentially get all of your customer data. We saw something like this happen to a company called Dealerbuilt when their dealer clients' customer data was stolen after it had been kept on unsecured servers.


Do a Network Vulnerability Assessment

Doing a Network Vulnerability Assessment will give you insight into the weak points of your computer network and under the Revised Safeguards Rule it is required by law. NVAs should be repeated annually and used to identify Safeguards that need to be put in place. You should have hardware and software solutions that can detect bad actors.


A Safeguards Solution

A dealer contacted Mosaic concerned about his computer network. We conducted an NVA and installed hardware and software solutions. Within a month I got a call from the IT professional we used to help get them secure. He explained that the dealership was undergoing a data breach right at that moment. The sales manager was using a file transfer protocol to download 100% of the customer base from the DMS. We were able to detect it, catch him red-handed as he was downloading it onto a thumb drive, fire him, and call the cops. Now that is how you prevent data theft.


If you want to learn more about protecting your customer data and complying with the Revised FTC Safeguards Rule contact us today!