2020Directory_FNL_FlippingBook

as USB drives or external hard drives. Ideally, customer information should remain on a server with read-only access on user devices; • Conduct regular audits of your security system and operations to determine the effectiveness of your Safeguards program and to correct any deficiencies; and • Make customer information “read only”and not downloadable to any remote devices such as cell phones or tablets. These devices are typically harder to secure and should not have customer information retained in their hard drives. Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a security incident or data breach in accordance with your Incident Response Plan which must be part of your Safeguards Information Security Program. The Incident Response Plan should consider elements such as: • Taking immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet but do not unplug it so you can make a forensic copy. Do the same for infected servers. • Preserving and reviewing files or programs that may reveal how the breach occurred. • If feasible and appropriate, bringing in security and forensics professionals to help assess the breach as soon as possible. • Preassigning responsibilities under the incident response program to specific individuals at the dealership so a response team can be quickly assembled and begin to take action immediately. • Notifying consumers, regulators, law enforcement, and/or businesses in the event of a security breach: • Assess the state laws applicable to your business. Most states have laws that require consumer notification. Your response program should include template letters for customers in all states and territories. • Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm. Certain state laws require the Attorney General or other • Employing a best practice of offering affected consumers one to two years of credit monitoring or other identity protection service at no charge. Consumer reporting agencies from which you obtain reports may require that you do so, as do a number of states. • Knowing the deadline by which any required notices must be sent and having a plan to meet that deadline. Some state laws have tight timeframes for when notices to consumers and government authorities must go out. • Testing your response program periodically and making appropriate changes. • Obtaining cyber security insurance to cover costs of responding to a breach. Cyber security insurance is available in forms to cover specific costs (e.g., costs to notify customers and provide credit monitoring, costs of forensics, and other consultants to identify and contain the breach) and is affordable based on the extent of coverage and policy deductibles. state regulator to be notified or receive copies of notices that are sent to consumers. • Notify the credit bureaus and other businesses that may be affected by the breach.

2020 MEMBERSHIP DIRECTORY & SERVICES GUIDE HOT TOPICS

146