11 KENTUCKY AUTO DEALER DEALERS CANNOT SIMPLY RELY ON CONTRACTUAL ASSURANCES FROM THEIR VENDORS (ALTHOUGH THEY SHOULD OBTAIN THOSE ASSURANCES) BUT MUST ENGAGE IN SOME LEVEL OF DUE DILIGENCE TO MAKE SURE THAT YOUR SERVICE PROVIDERS HAVE A RECORD OF SAFE PRACTICES. establishing a multifactor identification program; ensuring development practices are secure; disposing of data in a secure and appropriate manner; developing procedures to maintain security when there are changes to your system; and monitoring and logging user activity. Most dealerships will need some outside assistance with this undertaking but should be cautious that your service providers must also maintain adequate information security practices. Step 4: Test Your Controls Once you have implemented the mandatory safeguards, you are required to test their efficiency. You are required to use either continuous monitoring to test your security program or to perform annual periodic penetration and vulnerability assessments. Penetration testing involves attempting to access your information system from outside that system and would need to be performed annually if you do not elect to use continuous monitoring. A vulnerability assessment involves scans of your information systems to identify known security risks and is required every six months if you do not use continuous monitoring. Step 5: Develop Personnel Policies This portion of the Amended Safeguards requires security awareness training for all staff and some level of specified training for any personnel directly involved with your information systems. You are likewise required to use security training that is up to date with respect to current security practices and risks. Step 6: Oversee Your Vendors You are responsible for ensuring that any vendors with access to your customer data maintain adequate safeguards to protect the security of that data. Dealers cannot simply rely on contractual assurances from their vendors (although they should obtain those assurances) but must engage in some level of due diligence to make sure that your service providers have a record of safe practices. Similarly, you should review these practices on occasion. It may be advisable to have consent to a third-party security review as part of your vendor contract. Step 7: Prepare an Incident Response Plan An incident response plan is a written document that you must prepare to provide a guide for the steps your business will take in the event of a security event — defined as an event resulting in unauthorized access to, or disruption or misuse of an information system or customer information stored in physical form. Importantly, a security event can occur even if there is no risk of resulting consumer harm. Thus, even unsuccessful attacks to your system could create a security event. Your incident response plan should include not only the steps you will take to respond to the event, but a description of lines of decision-making authority and a description of internal and external communications that will be used following a security event. Step 8: Prepare an Annual Report Another required written document, an annual report should discuss not only the overall status of your information security program but also an overview of the results of any risk assessments, steps taken to comply with the Safeguards, arrangements made with vendors or service providers, as well as any actual or threatened security events. The Annual Report should be made by your Qualified Individual on an annual basis to the board of directors or, in the absence of a board of directors, to a senior member or company official with authority over the information security program. These requirements can be overwhelming, especially if you have not already begun to implement them. If your dealership needs assistance in compliance, there are vendors available to support your development of the required procedures, such as KADA’s Preferred Partner, ComplyAuto. For questions or further information, please contact your Stoll Keenon Ogden Automotive Dealership Services team: Sarah Bishop; (502) 875-6245; sarah.bishop@skofirm.com Ron Smith; (317) 822-6787; ron.smith@skofirm.com
RkJQdWJsaXNoZXIy ODQxMjUw