2017 GNYADA Membership Directory

• Preserve and review files or programs that may reveal how the breach occurred. • If feasible and appropriate, bring in security and forensics professionals to help assess the breach as soon as possible. • Preassign responsibilities under the incident response program to specific individuals at the dealership so a response team can be quickly assembled and begin to take action immediately. • Consider notifying consumers, law enforcement, and/or businesses in the event of a security breach: • Assess the state laws applicable to your business. Most states have laws that require consumer notification. Your response program should include template letters for customers in all states and territories. • Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm. Certain state laws require the Attorney General or other state regulator to be notified or receive copies of notices that are sent to consumers. • Notify the credit bureaus and other businesses that may be affected by the breach. • Consider as a best practice offering consumers one to two years of credit monitoring or other identity protection service at no charge. A number of states now require providing these services. • Don’t delay in sending the notices once you determine the nature and size of the breach and have taken steps to correct it. Some state laws have tight timeframes for when notices to consumers and government authorities must go out. • Test your response program periodically and make appropriate changes. • Consider obtaining cybersecurity insurance to cover costs of responding to a breach. Cybersecurity insurance is available in forms to cover specific costs (e.g., costs to notify customers and provide credit monitoring, costs of forensics and other consultants to identify and contain the breach) and is affordable based on the extent of coverage and policy deductibles. Consumer information must be kept secure and confidential at all times and it is important to protect information from the moment it is received until the moment it is securely destroyed. A study by Michigan State University estimated that 51 percent of all security breaches occur in the workplace, so tracking and monitoring the activity of dealership employees with respect to their access to customer information – in both printed and electronic form – is very important. The FTC has cited a failure to monitor system logs as another deficient security practice. Bring Your Own Device (BYOD) Risks A critical issue is employees using their personal smartphones, tablets, and other personal devices to access nonpublic personal information of consumers through their employer networks. “BYOD” or “bring your own device” has become the shorthand expression for use of personal devices for business purposes. The benefits of BYOD often include reduced hardware costs for the company as well as greater employee satisfaction from using a single portable device for workplace and personal use. However, BYOD use adds another element of security risk that should be addressed in your Safeguards Program. A comprehensive risk assessment should be conducted to assess whether employees are already using their own

HOT TOPICS

2017

MEMBERSHIP DIRECTORY 121