Pub. 14 2024 Issue 4

Counselor’s Corner Dealerships Must Ensure Security Solutions Are in Place to Protect Personally Identifiable Information That is Digitally Exchanged BY JULIE CARDOSI, ESQ. LAW OFFICE OF JULIE A. CARDOSI, P.C. Following this year’s significant cybersecurity incident involving many dealerships’ third-party service provider, security and privacy questions continue to arise relating to various types of information and data. As a reminder, under the Federal Trade Commission (FTC) Safeguards Rule, additional changes went into effect last year impacting, among other things, dealerships’ digital communications. Additionally, along with these changes, the amended Safeguards Rule requires dealerships to have developed and implemented, and maintain a comprehensive security system to keep their customers’ information safe. After extension by the FTC, certain changes went in effect as of June 9, 2023. These provisions required dealerships to: • designate a qualified individual to oversee their information security program; • develop a written risk assessment; • limit and monitor who can access sensitive customer information; • encrypt all sensitive information; • train security personnel; • develop an incident response plan; • periodically assess the security practices of service providers; and • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information. The amended Rule also updated the employee security training requirement. Dealership security awareness training must reflect risks identified in a risk assessment, along with ongoing training for security personnel. This includes verification that security personnel are taking steps to stay current on emerging threats and countermeasures. While dealerships should by now have their policies in place and implemented, included in the Safeguards Rule changes are standards and procedures for data security which require dealerships, pursuant to their updated security programs, to notify the FTC of security incidents that affect at least 500 customers, and ensure “end-to-end” security encryption of personally identifiable information (PII) sent digitally over external networks. In other words, PII exchanged between dealership personnel and customers must be encrypted in transit. This means that for a dealership to be compliant, use of unsecured, unencrypted text messages and email is not permitted. One obvious problem, however, is that purchase transactions may routinely be initiated and conducted via email and text messages, including without limitation, communications that flow through the dealerships’ DMS and CRM systems and texting and messaging applications. And some have argued that the shortcomings of some dealership cybersecurity 12 Illinois Automobile Dealer News

RkJQdWJsaXNoZXIy MTg3NDExNQ==