Auto dealerships are often under the misconception that they are too small to be targeted in a data breach, but in reality, identity theft tied to auto loans and leases has increased 43% in the past year, and the value of this type of fraud could be as high as $6 billion per year.
Housing highly sensitive information from drivers’ licenses to insurance documents to financing documentation, dealerships will inevitably continue to be targeted by information hackers.
As summer begins and brings the launch of some of the biggest annual auto sales events of the year, dealerships coast-to-coast are anticipating a spike in sales. Just last year, total U.S. market auto sales saw a 5% increase between April and May alone. With increased sales, however, comes an abundance of paperwork and client data that dealerships will need to process—and protect.
If the potential for steep regulatory fines isn’t enough to prompt dealerships to take a second look at current information security policies ahead of the summer season, the possible legal consequences, loss of business reputation, and, thus, future customer and revenue losses should encourage dealers to reconsider existing information security protocols.
To create a strong information security strategy, dealerships should consider the following steps.
The General Data Protection Regulation (GDPR) came into effect on Friday, May 25, just in time for Memorial Day Weekend—the unofficial start of summer and official start of mega sales events for dealerships—and there are legal obligations that dealerships collecting European data could face under the new regulation.
Dealerships are considered financial institutions because they store and collect customers’ financial information, which means dealerships have a regulatory responsibility to follow legislative guidelines established to protect against unauthorized access to the personal information of their customers.
Any dealerships that collects or stores the personal information of EU citizens should appoint a data protection officer (DPO) to lead information security and act as the main point of contact for employees. It’s also helpful to create an all-encompassing security handbook that can be used as an ongoing reference.
Like most businesses that work with private and confidential information, dealers are heavily regulated and governed. Therefore, these businesses need to be aware of the different privacy laws and legislation that are designed to protect identities, financial data, and personal privacy as they pertain to the business.
For example, under the Gramm-Leach-Bliley Act, dealerships must provide clients and third-parties with a description of privacy policies and practices. The Disposal Rule also affects dealerships, stipulating that when a consumer report is no longer needed, the paper file is immediately and securely shredded, or the digital file is destroyed.
Keeping a regularly updated security handbook is a great way to ensure your dealership is aware of and prepared to work in accordance with all legislation impacting the industry.
Knowledge is power
In addition to creating an accessible security guideline detailing best practices, employee training opportunities should be offered to supplement and enhance those messages. With up to 25% of information breaches caused by employee error or negligence, it’s evident that employee training is widely needed.
Dealerships should hold ongoing employee training or check-ins to ensure both new and seasoned employees are up to speed on the dealerships’ current information security protocols. All employees—from salesmen to support staff to HR—should know how to identify, handle, and dispose of confidential information, whether that information belongs to clients or the dealership itself.
It’s especially important to offer seasonal training opportunities ahead of busy sales periods to ensure that all staff is adequately prepared to manage an influx of sensitive customer data.
Physical safeguards are just as important as IT safeguards
In light of recent cyber breaches, auto dealerships are increasingly investing in important digital information security standards and frameworks. With an intense focus on digital security, however, they often overlook the massive amounts of physical information produced inside a dealership office each day.
Identifying risk points of physical information throughout your dealership is the first step toward creating a more secure business. The most vulnerable physical information points often lie in unassuming places, from printers to messy desks, to old storage bins and employee trash cans that are typically scattered and unattended throughout the office.
These risk points are susceptible to outside theft—and employee theft—because they may contain documents with sensitive client and company information.
Further, regulations can determine how long documents should be kept, making the retention and pileup of outdated documents even more risky. With that, dealerships must keep tabs on what/how sensitive materials are being stored within the office through a document management process, which will help employees determine the appropriate lifespan for documents.
Although implementing a document management process may seem like an obvious tactic, 37% of business leaders admit they don’t monitor how often employees store or remove confidential information in the office.
Dealerships often have to share confidential customer information with third-party businesses when facilitating transactions, and it can’t be assumed that external partners have similar information security standards.
To avoid the loss or theft of customer data as it’s being shared or sent to other businesses, it’s important to confirm the confidentiality and information security protocol of an external partner before sharing client information with it.
Dealerships also see various visitors come and go on a daily basis, particularly when offering major sales incentives. With visual hacking on the rise, it’s important that employees are alert during business hours to monitor unusual activities, such as visitors taking photos in high-risk office areas.
Authorizing and escorting all visitors to the appropriate support staff, whether they are customers, service personnel, maintenance workers, or delivery people, should be a standard procedure.
At the end of the day, reputation is everything, especially in the auto industry, where consumers have limitless options to choose from when it comes to buying an automobile.
Protecting your reputation means protecting your clients’ information through an all-encompassing information security strategy.
Ann Nickolas, vice president of Shred-it, oversees new business development and account management for customers in the commercial, healthcare, and government verticals. In her role, Ann helps businesses secure their confidential information with products and services, policies, and training that help protect them from the risks, fines, penalties, and loss of revenue that come with an information breach. With a history of senior leadership roles in respected global companies like Compass, Cintas, and Coca-Cola, Ann is uniquely positioned to understand the specific information security and privacy challenges facing the hospitality industry.