Poor vetting of cyber security measures taken regarding the vendors you do business with is a dangerously weak link in auto dealership data security.
Hackers don’t just directly target dealerships. They compromise third-party data and digital providers the dealership uses to do business and gain access to the dealership’s critical consumer, sales, and finance data.
Most dealers recognize a duty to safeguard customer information at their stores. What many dealers may not know, however, is the full extent to which their obligations extend beyond the dealership’s doors.
Understanding Insurance Coverage
Dealerships that fail to insist on routine due diligence scrutiny of vendor security protocols put themselves at unnecessary risk. Dealership cyber risk insurance policies often limit vendor exposure for the dealership’s annual spending for the compromised software. These policies do not cover legal actions such as class-action suits that often flow from such information breaches.
Risk insurance will not cover these losses if you have not fulfilled your due diligence with third-party vendors. You must show you have verified that these partners are taking all the necessary steps to mitigate any breach.
Holding Vendors Accountable
Your best position is to self-insure, insist that every vendor you do business with has robust cyber-risk protection in place—and practices routine due diligence of the security protocols they use to protect themselves—and you—from unnecessary exposure.
Parts of the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule state the dealer is responsible for the actions of any third-party vendor. Dealers must obtain third-party service provider agreements that state they have taken the required steps to maintain a safe and secure environment for the data to which they have access. The Safeguards Rule also requires that providers be vetted, not just their signed agreements.
The FTC, state attorney generals, and the CFPB have used their powers under applicable unfair and deceptive practices acts to sue companies that have experienced the loss or theft of customer information. This is no surprise since consumers are given a dealership’s privacy notice, which provides reasonable safeguards to protect their information.
Protecting Consumer Data
Every dealership makes the following written statement to customers: It provides a federally required privacy notice to Protect your personal information from unauthorized access and use. We use security measures that follow federal law. These measures include computer safeguards and secured files and buildings.
Failure by a dealership to protect customer information and data is considered contrary to the above promise or statement and actionable as a deceptive practice. Most dealerships know the need to protect the information they acquire and maintain. However, many fail to verify that third parties’ access procedures are in place.
“Mistaken assumptions about vendor security are rife, namely that vendors have the proper security controls in place and that default settings are secure,” Forbes reported in the article, Smart Vendor Security Is Key To Avoiding A Data Breach In 2024.
A combination of factors, including a lack of employee cybersecurity education, often creates opportunities for these risks. “[A dealer] is unlikely to know this unless it’s a victim of a cyber event traced to a vendor—or preemptively from a vendor risk assessment audit,” Forbes said.
Training Your Employees
Beyond these risks is the number of people who enter and leave your business daily and may have access to information resources. These include deal jackets, consumer information on work orders, and service paperwork left on or around copy machines or in wastebaskets. If you haven’t drilled your staff in some time about their accountability to proper handling and protection of consumer information, do it by Friday.
Verizon’s 2024 Data Breach Investigations Report notes that 68 percent of breaches involve the human element.
Every employee who handles data of any type must understand the security risks, be trained, and be accountable for its proper and safe use.
Managing Privacy Program
So, how do you get a handle on your third-party providers? You would ask, and a vendor would give you a copy of their privacy notice. That’s no longer considered due diligence. To correctly manage your third-party vendor privacy program, you must do an assessment and determine:
- Who has access to your system?
- To what data do they have access?
- Is access limited, or do they have customer information?
- For what purpose are they accessing the data?
- What vendors have access to your facility, and what areas?
All vendor contracts justify vigilant scrutiny. Providing the level of diligence and experience this time-consuming task requires may be too much for most dealers to want to tackle. Still, fortunately, it is due diligence you outsource to qualified resources.
Use this risk assessment checklist to guide your preliminary examination of each vendor with whom you have valid contracts; please note this is not an exhaustive list, so check with your compliance provider:
Customer Privacy Compliance
- Examine the vendor company’s privacy policy and make sure it complies with the GLBA.
- Describe its data retention and data destruction policy
- Are their privacy policies communicated to staff; is it time to review these policies?
- Do you conduct background checks on employees – what kind, how often, and what are the criteria used?
- What is your employee exit policy and practice to ensure nonpublic information is no longer accessible to them?
System Security Compliance
- What is your incident policy/plan for security breach?
- Is your business prepared today to recover complete and total data processing systems following a failure?
- Are production systems—DMS and other data devices—sequestered for limited accessibility, and are intrusion alarms in place and activated?
- How do you protect workstations used for accessing production systems against unauthorized access; use at least an individual login comprised of username and password and set the screensaver password to activate within five minutes or less.
Legal & Regulatory Compliance
- What are your policies and procedures for complying with federal consumer financial laws applicable to the services you provide customers?
- How do you routinely identify and adjust your compliance responsibilities with federal and state laws and regulations?
- How do you communicate compliance responsibilities to employees? Are these also shared with vendors, consultants, and contractors?
- What is your government, regulatory, or administrative investigation history, proceedings, complaints, and lawsuits?
Ensure your vendor contracts are solid and do not add risk to your business. If examining vendor contracts is unsavory, an outside compliance and security audit company can do so with the care and knowledge gained from ground-floor experience. When considering recommendations from entities endorsing providers, consider any sponsorship compensation that may be weighing into that backing.