Small-time security threats bigger concern

The biggest threats to a dealership's data aren't Russian hackers breaking through electronic firewalls or robots trying a thousand passwords on security codes until they finally crack into the system.

It's more likely the mundane stuff that will cause a breach that enables personal consumer data to slip out of the store, said Brad Miller, director of legal and regulatory affairs for the National Automobile Dealers Association.

Watch out, he said, for laptops that may contain sensitive files being stolen out of cars. A thumb drive that contains code capable of capturing passwords or data can be plugged into the laptop.

Also, software vendors long ago dropped by a dealership may retain active pass codes that enable data to be taken from the dealership, unbeknownst to store employees, Miller said. Or pirates may send dealership employees a "phishing" email hoping to fool one into giving out information or a password that opens the system to the thieves.

"Most of what happens is low-tech," Miller said.

In fact, hackers' theft of Target customers' credit card information in 2013 was traced to a heating, ventilation and air-conditioning contractor.

The contractor had access credentials to Target's network, which the hackers stole and used to get into Target's computer system.

Miller said it is incumbent upon dealerships to ensure they have processes and policies in place to know who has access to their data and what the information is being used for.

Moreover, employees have to be constantly trained, especially in light of turnover at stores, on how to safeguard those data, he said.

Regulators consider dealerships to be financial institutions because of the magnitude of sensitive consumer personal information and transactional data collected in the F&I department, he said. That's a high bar requiring vigilance.

Dealerships are advised to create an emergency response plan in the event of a breach, said attorney Kristen Mathews, head of the privacy and data security practice at Proskauer Rose law firm in New York.

"Have a first-incidence-response team. Have a written incidence-response plan that articulates how a company is going to respond," she said at the American Financial Services Association conference held in January in San Francisco just before the NADA convention.