9 KENTUCKY AUTO DEALER Continued on page 10 systems containing customer nonpublic personal information (NPI). 6. Implement a data retention policy and dispose of customer information within two years after the end of a customer relationship, unless doing so conflicts with state or federal law. 7. Adopt procedures for IT change management. 8. Appoint a single qualified individual to oversee the dealership’s ISP. 9. Monitor and log the activity of authorized users and detect unauthorized use or access of customer information. 10. Implement a system or software to continuously monitor cybersecurity threats, including annual penetration tests and bi-annual vulnerability tests. This will be discussed at length below. 11. Perform security awareness training for all employees. 12. Periodically assess service providers for their adequacy of physical and technical safeguards and have agreements that contractually obligate them to implement and maintain appropriate safeguards. Written Risk Assessment The Revised Rule revisits the requirement and expands on it with more detail and specificity. The Revised Rule requires that dealerships create a written risk assessment that includes: • Criteria for the evaluation and categorization of identified security risks or threats faced by the dealership; • Criteria to assess the confidentiality, integrity, and availability of the dealership’s information systems and customer information, including the adequacy of existing controls; and • Requirements describing how identified risks will be mitigated and how the information security program will address the risks. Annual Penetration Testing New to the Revised Rule, dealers are required to perform annual penetration testing to evaluate the effectiveness of the safeguards’ key controls, systems, and procedures. Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. Additionally, the FTC cited “social engineering and phishing” as an important part of penetration testing because the testing involves employees with access to the information system rather than the system itself, which does not exclude them from the definition of penetration testing. Biannual Vulnerability Assessments The Rule now requires that dealers conduct biannual vulnerability assessments to detect publicly known vulnerabilities. Note that these tests, in this context, are not relevant to information in the physical form. In its comments, the FTC notes free resources are available that automate vulnerability assessments, such as “OpenVAS” and “Nmap.org.” Service Provider Agreements and Other Requirements The definition of “service provider” is not updated with this revision, nor is the requirement for dealers to “take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguard for customer information and require those service providers by contract to implement and maintain such safeguards.”
RkJQdWJsaXNoZXIy ODQxMjUw