2018 GNYADA Membership Directory

The FTC has found that failing to have a defensible password security policy or permitting “weak”administrative passwords such as common words with no capitalization (e.g., “password”), numbers, or symbols (e.g., “12345”) can constitute inadequate data security. The FTC also faulted a leading social networking provider for storing and sending passwords in plain text emails. The FTC has also focused on employee training as a key element of an Information Security Program. Dealers should train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information. Some protections may include: • Locking rooms and file cabinets where records are kept; • Using complex passwords and not sharing or openly posting employee passwords in work areas; • Encrypting sensitive customer information when it is transmitted electronically via public networks; • Not clicking on email links or attachments from unknown sources (phishing); • Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and • Reporting suspicious attempts to obtain customer information to designated personnel. In addition to training employees, ensure that there is proper oversight and supervision, including: • Developing policies for mobile devices and employees who use personal devices to make certain that those devices are secured. One way to do this is by using Mobile Device Management Software (MDMS), which creates a secure channel for communications to and from your network and can be used to monitor and track usage as well. • Developing policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access customer data at home. Also, require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions. • Imposing disciplinary measures for security policy violations including termination of employment. • Preventing terminated employees from accessing customer information by immediately deactivating their passwords and usernames and taking other appropriate measures. Information Systems Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Replace systems such as Windows versions XP or earlier that are no longer supported and make sure your antivirus, anti-malware, firewall, and other security software is up to date at all times. Here are some suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal. • Know where sensitive customer information is stored and store it securely. Know its life cycle throughout your organization. Make sure only authorized employees have access. For example: • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.

115 2 0 1 8 MEMBERSHIP DIRECTORY Hot TOPICS