2018 GNYADA Membership Directory

required. Destroy hard drives and flash drives on computers, copiers, fax machines, and wireless devices using industry standard procedures before discarding them or trading them in for replacements. Disable USB flash memory drives. Try to store customer information only in secure central servers and preclude the ability to download it. Some states (for example, Massachusetts) require that customer information contained on laptops, tablets, cell phones, and other remote devices must be encrypted. Massachusetts and Nevada also require personal information about residents be encrypted in transmissions, which is a best practice in any event and required for credit card data transmission. 3. Manage user permissions to give customer information access only to those employees and service providers having a legitimate business need. Negligently making customer information available for theft by outsiders, employees can and do steal customer information and sell it to identity thieves. So, it is critical that you keep event access logs of those persons who access your customer information in both paper and electronic files. Review the access logs regularly to monitor patterns of irregular activity by users. Set your system to prevent downloading or file transfers of customer information to computers, USB memory sticks, PDAs, cell phones, tablets, or other remote devices, and disable PC PSTs. If you have a credit application on your website, make sure it is encrypted and begin safeguarding and tracking access to it from the time it is completed by the consumer and securely transmitted to your dealership. Keep your antivirus, anti-malware, and firewall software up to date. If you

123 2 0 1 8 MEMBERSHIP DIRECTORY Hot TOPICS

permit employees to use their own devices to access dealership information, do a risk assessment of BYOD issues and see if it is feasible for your dealership to implement a policy to enable employees to use personal devices. If so, employ MDMS software to manage the devices. If not feasible, cease their ability to do so and require that only company-issued devices be used to access dealer databases and information. 4. Have an acceptable use policy. Help control risk by adopting an “acceptable use”policy that ensures employees are not

sharing their device, are adhering to strong passwords, and that any corporate-owned data is encrypted. Text messaging should also be discouraged as it is discoverable from the device in litigation and the use of acronyms or shorthand often leads to misunderstandings. 5. Have a pre-established plan in place to deal with data security breaches. The FTC has said that your Information Security Programmust include a detailed incident and breach response and notice plan to execute in the event of any security breach or database hack in which customer information is or may have been wrongfully accessed, whether by internal or external persons. Pre-identify a team of people to manage the breach and responses. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications,