By Stephen Heath, Chief Technology Officer, TorchLight
Implementing IT security measures to protect the data privacy of both businesses and customers can be a daunting proposition for automobile dealerships, particularly smaller dealerships. The increased demand on resources and staff can be enough to make owners and managers balk at the effort and cost. The recent extension of the Gramm-Leach-Bliley Act (GLBA) to automobile dealers has thrown this challenge into sharp relief by giving dealers a mandate for improving their data protections with a deadline.
GLBA was originally put into place by the Federal Trade Commission (FTC) to ensure that banks and other financial institutions would have technology and procedures in place to protect their customers’ financial data from cyberattacks and breaches. The FTC then extended this safeguards rule to non-bank financial institutions including auto dealers. The new rule was made effective on January 10, 2022, and the FTC gave dealers one year to update processes and comply.
Fortunately, dealerships can take steps to establish or improve their IT and cybersecurity programs, both to meet new regulations and to support their businesses. These steps include developing a security strategy, implementing new procedures, and working with staff to make sure new policies are understood and functional. Key to both GLBA compliance and overall IT security is planning combined with clear, practical and strategic policies for preventing and addressing cyber threats and other issues.
Planning Starts with Asset Inventory
The first step in GLBA compliance is developing an information security program (ISP). ISPs are used to identify and prioritize the cyber risks in the dealership and to lay out a program and timeline for fixing problem areas. A critical section of an ISP is the IT asset inventory which identifies the entire range of computers, servers, mobile devices, cloud services and other resources that hold customer data and could be a target for hackers.
An equally important planning step is the development of an incident response plan that lays out how each member of the dealership team will react when there is a breach. In the chaotic first moments after a hack is discovered, the team can turn to the incident response plan which lists out the actions that are needed from each person on the team to mitigate damage and begin the process of recovery. For most dealerships, the technical aspects of incident response will be handled by an outside vendor – either their managed discovery and response (MDR) partner or a specialized forensic response consultant who has the experience and tools needed to locate and eliminate malware.
GLBA also mandates periodic risk assessments that identify changes to the threat landscape whether that comes from new assets or new vulnerabilities. With this information, both the ISP and the incident response plan can be updated.
Adopting Security Technology
There are many IT security technologies that can be included in these plans. Encryption of a customer’s personally identifiable information (PII) data is important, whether it’s on a hard drive, attached to email or on a backup drive. Multi-factor authentication, which confirms a user’s identity via verification codes delivered via text message or email, frustrates hackers who have stolen credentials and allows the dealership to better secure its information at scale. In addition to protecting data, it’s important to have a plan to get rid of unneeded information. Implementing a data retention policy that mandates disposing of customer information within two years after the end of a customer relationship except data that must be kept due to state or federal laws.
Employee Training
Of course, policies and procedures are only as effective as the team using them. Security awareness training is required to enable the dealership team to avoid phishing attacks or fake websites or other actions that can result in malware entering the system.
For dealerships without an IT staff, the GLBA requires training one person to be the designated contact to oversee the business’ relationship with its internet service provider (ISP). This person would need to be familiar with the regulations and have enough IT and cybersecurity training to implement the incident response plan. If no such person is available in-house, then a dealership could designate a person from their IT/cybersecurity service provider.
Access to dealership computer systems sees a dramatic amount of change with employees, vendors, and other third parties coming and going. Each of these events means changes to access rights for people either on existing systems or on systems that are added to the network. Change management programs track these changes and make sure that the right people have the right access and that if someone leaves their access is revoked. It’s also important that partners who have access to a dealership’s systems have their own security in place so that your dealership is protected from hackers who have broken into their systems.
While all auto dealers have their customers’ best interest at heart, GLBA is throwing a spotlight on cybersecurity issues that many dealership owners are not aware of nor in a position to address. What’s more, the act is providing a deadline to make changes. The good news is that the series of data protection techniques spelled out in this article can help a dealer to both meet their GLBA requirements and offer dramatically better protection of their customer’s data.