February 21, 2018 12:00 AM

Don't fret over data security; try these steps

John Pappanastos: "(Dealers) are more focused on asking their partners to keep them off the 9 o'clock news than fundamentally running a compliance organization."

One of the biggest security hazards for dealerships and their vendors is a data breach, but many are unsure of the best ways to protect their information, EFG Cos. said.

Compliance, including data security, is one of the top three worries for virtually every dealer, said John Pappanastos, CEO of EFG Cos. "They just don't know how to do it," he said. "They are more focused on asking their partners to keep them off the 9 o'clock news than fundamentally running a compliance organization."

The average cost of a security breach is $3.62 million, according to a 2017 study commissioned by IBM. And the probability that a company will endure a security breach in the next two years is 27.7 percent.

Dealerships' interest in data security systems and procedures is ramping up quickly, Pappanastos said. Some dealerships just don't know where to start.

EFG suggests that dealers appoint a chief compliance officer at their stores. Much of the time, the COO or fixed ops director takes the additional role. But no matter who it is, Pappanastos said, "they have to take ownership or there's no real buy-in at the store."

Maurice Hamilton: Enhancements can include firewalls, anti-virus software, anti-phishing software and procedures and more.

Automotive retail is regulated under the Safeguards Rule of the 1999 Gramm-Leach-Bliley Act. Digital information is part of the Safeguards Rule, but because dealers adopted technology solutions later than lenders, the digital part of the rule became especially important to dealers several years ago. Technology began to play a more prominent role in auto retail through customer relationship management systems and dealer management systems, for example, Pappanastos said.

Through those systems, "data access points have increased exponentially," an EFG statement said. The auto retail industry is just beginning to take initiatives to protect consumer information digitally, the statement said.

EFG invests about $250,000 in data security enhancements each year, the statement said. Those enhancements can include firewalls, anti-virus software, anti-phishing software and procedures and more, said Maurice Hamilton, EFG's vice president of technology.

Dealerships could also be phishing targets, Pappanastos said.

"If I can get three pieces of customer information from the dealership, I can call [the customer] and say, 'We had a problem with the down payment. Can we get your information again?' " he said.

A hacker can access payment processing software in seconds -- so fast the dealership doesn't know it's happening.

Locked, secure

So how can dealerships protect against data breaches? EFG recommends they follow the ADRIFT acronym:

Assess security risk.
Document procedures.
Review risks that could compromise or reveal consumer data.
Identify a designated compliance officer.
Foresee manageable risk.
Train employees on compliance.

As part of reviewing risks that could compromise customers, EFG suggests that dealers develop a process to safeguard data digitally and physically. For example, when salespeople take a customer's driver's license, they usually make a copy and give it back to the customer. They should store the copy in a locked, secure area rather than leaving it on their desk. When the dealership has no more need for the copy, staff should dispose of it completely, going as far as cleaning the hard drive of the copy machine, according to EFG.

When third parties integrate with dealerships' software, Hamilton suggests the stores get copies of the companies' security certifications. Dealerships should also review the companies' processes, control and procedures for protecting against data breaches, he said.