How to protect customers' private data

AUTOMOTIVE NEWS ILLUSTRATION

A nightmare scenario for any dealer is to have a data breach. If customers' information is compromised at a dealership, that store has to reach out to every single person it has done business with and let them know.

That's not good for business. A survey by Total Dealer Compliance found 84 percent of car buyers would not go back to a dealership that had a data breach.

"So just based on that, [dealers] should take physical and computer security seriously," said Total Dealer Compliance CEO Max Zanan.

There are two lines of defense against data crooks.

Dealerships rely on procedures to ensure that their employees don't leave the doors unlocked, as it were, and on the software that runs in the background of their dealership management systems to maintain cybersecurity.

A hack specifically to steal a dealership's customer information is not very likely, according to Zanan and Michael Alf, a computer-savvy general manager and co-owner of St. Charles Toyota near Chicago.

Alf noted a 2013 breach of retail giant Target. In that instance, hackers gained access to Target's costumer service database by way of a third-party vendor's credentials, installed malware and then culled the personal information of tens of millions of customers.

"But the reality is people aren't going to go into dealerships and do that," Alf said. "We don't have enough data."

In other words, a sophisticated hack on an individual store is typically not worth cyber thieves' time. More concerning to dealerships are phishing scams and malware or ransomware attacks.

Ransomware defense

With ransomware, "No one gets the data," Alf said.

Instead, the store is held hostage until a payment is made. "And I'd say that's the biggest threat to a dealership at this moment," he added.

"No one's going to go in and really steal your data on a computer level. But having malware installed that encrypts the data and no one can get access to it — that's the big problem."

Alf defends against potential security threats by using Apple's Macintosh computers, which he said typically are more secure than PCs that run on Windows software.

He also does not give anyone in his dealership administrative rights to the dealership-wide system. That way, if someone in the dealership does click on malware, for example, the threat typically ends there.

"So that's how we protect against that malware-type infestation," he said.

Concerns of larger-scale data breaches typically fall on the DMS companies' shoulders. For dealerships, much of this is running in the background.

Reynolds & Reynolds builds data-protection protocols into its DMS system, and that functionality is not an added tool or something dealers would manually install, spokesman Thomas Schwartz said in an email.

Encryption

He said data protections range from encryption techniques to CAPTCHA logins, secure communications with partners and automakers "and many things in between."

Schwartz said the company would not want to go into specifics on how the systems and software are designed to protect data, as security measures "should be kept confidential and, in our case, are proprietary."

CDK Global, too, builds data protections into its DMS system, such as encrypting data both at rest and in transit.

The company in 2015 launched Dealer Data Exchange, or DDX, which monitors where data is used and with whom it's being shared.

Within DDX, dealers can submit requests to terminate data flows to certain third parties, access reports on identified unauthorized access to their DMS and receive automated alerts on any new connections that appear in their reports, Howard Gardner, vice president of data services at CDK, said in an email.

In the meantime, dealerships, of course, also have a responsibility to protect their customers' personal information. And that doesn't necessarily mean having access to a specific tool.

"When it comes to electronic security, hackers don't want to hack. That requires a lot of work and a lot of thinking" said Zanan of Total Dealer Compliance. "It's much easier to do social engineering."

Max Zanan is founder and CEO of Total Dealer Compliance.

Social engineering

Social engineering refers to criminals mimicking email addresses or impersonating people to gain sensitive information.

For example, a crook could call the dealership and say they're from a financial company and need information on a particular customer. "And then if somebody who answers the phone at the dealership doesn't do any verification, they just say, 'No problem, here you go,' all the encryption goes out of the window," Zanan said.

Proper staff training is key to preventing this, he said.

Zanan also noted that the world has not yet gone completely digital, and procedures for safeguarding data outside of computers, such as on paper documents, still need to be in place.

All F&I offices should have locks on the doors, he said, and papers with sensitive personal information should not be left lying around on desks.

Again, it comes down to training. Said Zanan: "There is no shortcut."

RECOMMENDED FOR YOU
Get F&I in front of customers sooner
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
Get F&I in front of customers sooner
Buffett's Berkshire Hathaway triples stake in Ally Financial
Buffett's Berkshire Hathaway triples stake in Ally Financial
FTC proposal on saving records ‘extreme'
FTC proposal on saving records ‘extreme'
Sign up for free newsletters
Digital Edition
Automotive News 8-15-22
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Fixed Ops Journal 8-8-22
Read the issue
See our archive