• Monitoring the access and use of sensitive customer information; • Completing a penetration test & vulnerability scan; • Encrypting systems containing customer information; • Training employees on security awareness; • Conducting Vendor & Service Provider risk assessments; • Implementing MFA on all systems containing customer information; and • Creating and updating a device and systems inventory. Notably, the provisions that have not been delayed (and never were) are: • Creating a written Information Security Program (ISP) for your organization; • Obtaining signed contracts from your vendors (“Service Providers”) who collect customer information, promising to implement reasonable safeguards; • Periodically assessing your Service Providers to ensure that they have reasonable safeguards in place; and • Implementing a system capable of detecting attacks and intrusions on your network. Dealers Should Not Wait to Implement Safeguards Rule Solutions On paper, the delay sounded good. However, once you dig into the details, the delay is not as good. Because some aspects of the Rule still became effective in January, dealers should not take this delay for granted. This is the time to press on in reinforcing their data protection and cybersecurity practices. Why? Firstly, completing all requirements of the Rule can be timeconsuming because so many players are involved. You will need to coordinate with the vendor to oversee compliance (like ComplyAuto), the dealership staff, any Service Providers they work with (to complete their requirements), and potentially your IT company or Managed Service Provider. Unless you are working with an efficient and responsive team, natural bottlenecks may arise as one party waits on the other. Secondly, you should not “miss the forest for the trees,” meaning that the FTC should not be the main reason why your dealership is establishing these data protection and cybersecurity protocols. Yes, we want to fulfill these requirements to keep the federal government at bay, but I would argue that the main focus should be to prevent data breaches and ransomware attacks! Think about the different forms of damage to your organization that could arise as a result of a data breach or ransomware attack: • Reputational damage: Dealerships are pillars in their community and word of a data breach will spread quickly. Additionally, vendors may be wary about working with you in the future. • Data breach mitigation: Depending on the level of your cybersecurity coverage from your insurance company (or lack thereof), you could be paying out of pocket for forensic professionals to “stem the bleeding”, so to speak, and try and recover what you can. • Dealership downtime: You can bet that your dealership will suffer significant delays as you try to survey the extent of the breach and work through the mitigation efforts. • Data recovery: If it was a ransomware attack that resulted in the loss of employee, customer, and dealership information, the road back to where you started will be a long one. Think of all the information that existed prior to the attack that you will now need to rebuild from scratch. • Consumer protection efforts: Depending on the extent of the breach, you may be legally responsible for the cost of providing identity theft protection measures to all of the consumers who suffered a release of their information. • State and federal penalties: Suffering a breach does not earn you any pity from the government. State and federal enforcement officials will come shortly thereafter to “pour salt in the wound” in the form of heavy fines and penalties. • Class action lawsuits: Always a significant concern for dealers is a class action lawsuit by harmed individuals who had their information either stolen or released. FTC Using its Broad Authority Under Section 5 for Cybersecurity Concerns Section 5 of the FTC Act prohibits “unfair or deceptive business practices in or affecting commerce.” Given that this clause has been around since 1914, it is safe to say that the authors did not consider cybersecurity during the time that it was drafted. Nevertheless, as a Nobel Prize laureate once said, “the times they are a-changin’” and the FTC has wielded this section as a sword to strike down businesses who have displayed poor cybersecurity practices. This has become such an issue that Brad Miller, Chief Regulatory Counsel at NADA, spoke about this during one of the educational seminars at the Dallas convention. Defining false data security or privacy representations under both “unfair” and “deceptive” terms of art since 2002, the FTC has negotiated consent agreements since then with most This is the time to press on in reinforcing their data protection and cybersecurity practices. Issue 1, 2023 13
RkJQdWJsaXNoZXIy ODQxMjUw