GNYADA 2019 Membership Directory & Services Guide

5. Have a pre-established plan in place to deal with data security breaches. The FTC has said that your Information Security Programmust include a detailed incident and breach response and notice plan to execute in the event of any security breach or database hack in which customer information is or may have been wrongfully accessed, whether by internal or external persons. Pre-identify a team of people to manage the breach and responses. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and, if you are publicly traded, investor relations. Part of the team’s role is to analyze risks to data, data flow, and worst-case scenarios. Test your plan periodically by doing mock drills. Consult your attorney to know your state law and the laws of your customers’ states of residence about when you have to give notices to customers about data breaches. 6. Prepare template customer communications in advance and consider retaining a forensics expert who can quickly capture and analyze your IT system to identify the source of an electronic breach and mitigate further losses. Consider channeling all third-party communications through only one person for consistency. The steps you take in the first 48 hours after a data security breach may be the most critical to mitigating the breach and minimizing losses. Those steps should be laid out in advance in your security breach response plan. That is why your plan should assign roles to breach team response members in advance so each knows their precise responsibilities and the response team can be immediately assembled. 7. Do not transmit customer information over insecure channels such as unencrypted email, P2P systems, or wireless access points. These are not secure media. The FTC has cited the absence of data loss prevention software and an intrusion detection system in these media as inadequate practices for an Information Security Program. 8. Run an OFAC SDN List check on every customer, cash or credit. If you get a preliminary hit, follow the steps listed by OFAC to determine whether the hit is a “false positive.”Do not do business with the customer until you are certain that they are not the person listed on the SDN List. Keep a record of OFAC checks for five years. 9. Develop a risk-based Red Flags Identity Theft Prevention Program (ITPP) and implement it consistently for all consumer credit customers and business credit customers that present identity theft risks. Use your ITPP with every customer and document that you’re doing so. Choose red flags that are appropriate to the size, location, and activities of your dealership. If you sell vehicles over the Internet or to customers who never physically come to your dealership, take enhanced steps to verify those customers’identities. Examine photo IDs, look at recent credit bureau activity, and use an electronic identity verification service to compare customer information against databases of fraudulent activity and to assess the customer’s given Social Security number. Identify any red flags in your ITPP that these actions reveal. If you cannot readily resolve the red flags with the customer, use knowledge-based authentication “challenge” or “out-of-wallet” questions as well. One best practice to address a questionable Social Security number is to ask the customer to access their Social Security earnings statement on their smartphone or a dealership PC. Escalate problematic customers to

hot topics / 2019 membership directory & services guide

PG 142