2017 GNYADA Membership Directory

HOT TOPICS

devices for dealership business and accessing nonpublic personal information of consumers in doing so. The risk assessment should identify the types of devices and security features available to select the best technical means for program implementation, and develop the specific policies and procedures governing BYOD administration and management. A good example is Multiple Device Management Software (MDMS) that controls all third- party devices accessing your system and sends and receives information from the device securely. Lack of physical control over the device should be high on the list for every dealership – the baseline assumption always is that the device will be lost or stolen, or at the very least, accessible to unauthorized third parties. Placing tracking devices on these devices if lost or stolen is a prudent security practice but may raise privacy concerns among employees. Another good practice is to make it clear that intertwining business and personal communications on one device creates a risk of personal information being exposed when parties are in litigation. A best practice is to provide that the employer has the right and capability to wipe or erase all data remotely from any device used for business purposes – and that means the device may be wiped entirely, including personal photos and contacts. Dealerships also must consider various technical issues, which include the use of untrusted devices, wireless networks, or applications; support for multiple mobile operating systems; installation of security patches and software updates; and interaction with other systems for data synchronization and storage. Consider the risks. The FTC entered into a consent decree with a dealer that encountered a breach of thousands of consumers. The genesis of the breach was a P2P system installed on an employee’s home PC that the employee used to access dealership customer nonpublic personal information and which thereby became available to other users of the P2P network who were able to access the customer information as well. In 2014, hackers broke into a national bank’s system through the personal computer of an employee who was working from home. From there, the intruders reportedly were able to move further throughout the network through the employee’s virtual-private-network connection. Vendors with access to your customer information should be limited and monitored. A national retailer’s huge data security breach occurred when a vendor using a compromised PC accessed the retailer’s systemwhich allowed a hacker to get into the retailer’s system as well and create accounts and stealth utilities to steal data. Employees may resist the implementation of security software and measures on their personal devices as well as forced encryption of customer information in transit to and from the device and at rest on the device which is a best practice. Dealerships also must detect and prevent “jail breaking” of the device where the employee circumvents the organization’s security policies and measures, a practice that MDMS software can make more difficult. Consider having the dealership provide remote devices to employees that you can centrally manage and secure, subject to applicable state law. FTC Consumer Report Information and Records Disposal Rule The Disposal Rule requires persons who maintain or otherwise possess consumer report information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. For example, paper records should be cross- shredded, burned, or pulverized so the consumer information cannot be read. Consumer information must also be destroyed or erased from all electronic media so that the information cannot be read or reconstructed. For PCs, copiers, smartphones, tablets, and fax machines, this means not only deleting the information but wiping the hard drive clean, as deleted information can remain on the hard drives of these digital devices even if the data is

MEMBERSHIP

DIRECTORY

2017

122

Made with FlippingBook - Online catalogs