Continued from the previous page Periodically, a dealership will be required to evaluate and categorize security risks and threats, define the criteria they used to assess these risks and threats, and how a dealership will either mitigate or accept this risk. eighteen (18) months ago, and NADA has been intimately involved with the FTC and engaged in constant communication and advocacy with the FTC to lighten the impact of these Rules. One victory that did come from these discussions is that there is no requirement to hire a certified computer information systems specialist, whose salary can exceed six figures. Now the new Safeguard Rule requires the hiring or appointment of a “qualified individual,” which is a substitute for your old “program coordinator.” A dealership is allowed some flexibility for this position, but the person must be qualified to handle your data and be able to design or implement systems and procedures to oversee your particular data. Fortunately, these tasks can be outsourced to technology and security providers. The FTC is going to require a new written risk assessment and information security program. There are also requirements for written procedures to address how a dealership will respond to a breach of a privacy incident and written annual reports to your Board of Directors. Some more specific requirements, there will be the requirement for a data and systems inventory. This requirement applies to all your computer systems, not just those that store the NPI of consumers. A dealership will be required to inventory all electronic and computer equipment. A dealership will also be required to inventory all software programs and who as access to consumer information, such as vendors, and determine which employees have access to particular consumer information. The inventory could be as broad as a salesman’s mobile phone particularly if they have consumer NPI on the phone or access to it. NADA recommends this inventory be written. Periodically, a dealership will be required to evaluate and categorize security risks and threats, define the criteria they used to assess these risks and threats, and how a dealership will either mitigate or accept this risk. A dealership will also be required to determine how you will specifically address these issues. This issue is going to require the hiring of an IT security firm or person or greater consultation with your existing IT provider. The written security plan will be required to address certain regulatory required objectives and substantive areas. These are set forth in the FTC Safeguard regulation and are quite detailed and beyond the space limits of this article. Please understand that NADA is working on templates that can be molded to your particular dealership. Consequently, some help will be forthcoming. As stated above, a written incident response plan will be required and must address clear procedures for how a privacy violation will be handled. This will obviously require time to evaluate and decide how you will respond, who will be involved, and what specific tasks will be undertaken. The FTC wishes to make sure that a dealership has given a serious evaluation and thought to this. A dealership will then be judged how they followed this response plan in the circumstance of a privacy violation or identity theft event. Our technology systems will require encryption capability for information disseminated from our dealerships and multi-factor authentication for access to consumers’ NPI. This will further require system monitoring and periodic penetration testing and vulnerability assessments. Importantly, this also applies to vendors who have access to our systems. Consequently, communications and coordination with vendors need to be undertaken to implement the Rule by the end of this year. Dealerships are going to be required to have controls for access to consumer information. This will require the potential wvcar.com 22 WVADA
RkJQdWJsaXNoZXIy MTIyNDg2OA==