[Source: Eric Stiles, Construction Equipment Distribution, 2014 | Keywords: Business, Operations, Identity Theft]
A finance officer at a financial institution was let go due to poor performance. Before the employee had been terminated, the worker used the company’s computers to access customer account information such as names, social security numbers, driver’s license numbers, and home addresses. The employee used this information to open accounts and incurred unauthorized charges under the names of the individuals from whom he stole the personal information. The defendant made numerous purchases totaling over $50,000. (Source: U.S. Department of Justice, March 2013).
Could this happen at your dealership? Unfortunately, the answer is yes. This is why it is important to safeguard customer data. Not only does it make good business practice, but it’s the law. The Federal Trade Commission (FTC) requires businesses, financial institutions and creditors (including dealerships and businesses involved in financing or arranging purchase or lease financing) to develop and implement a written program to identify and detect the relevant warning signs – or “red flags” – possibly indicating identity theft.
The program must also prevent and mitigate instances of identity theft and has to be managed by the board of directors or senior employees of the business entity. It must include appropriate staff training and supervision, oversight of the use of any credit service providers at the dealership, and must describe appropriate responses that would prevent and mitigate the crime, as well as detail a plan to update the program as needed.
General Requirements
A written information security plan should designate one or more senior management staff to coordinate and oversee your customer identity information security plan. They would have the responsibility to identify and assess the risks to customer information in each relevant area of the dealer’s safeguards by regularly monitoring and testing the program. They would also:
- Select outside service providers who are qualified to maintain appropriate safeguards. Your contracts should require service providers to maintain stipulated safeguards and oversee their handling of customer information.
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations and the results of security testing, monitoring or actual identity theft incidents.
Employee Management and Training
Develop policies for employees who transmit data. Consider whether and how employees should be allowed to keep or access customer data at home. Also require that employees who use personal computers to store or access customer data use approved security against viruses, spyware and other unauthorized intrusions. Coordinate this security with your information technology area.
Additional risk controls include:
- Check references and do background checks before hiring employees who will have access to customer information.
- Require that every new employee sign an agreement to follow your company’s confidentiality and security standards for handling customer information.
- Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information.
- Impose disciplinary measures for violations of the employee security policy.
- Regularly remind all employees of your company’s policy and its legal requirement to keep customer information secure and confidential. Consider posting reminders about their responsibility for security in areas where customer information is stored.
Security Policies
- Develop policies for appropriate use and protection of laptops, PDAs, cell phones or other mobile devices. Ensure that employees store these devices in a secure place when not in use. Consider that encrypting customer information will better protect it if a mobile device is stolen, breached or damaged.
- Immediately deactivate the user names and passwords of terminated employees to prevent them from accessing customer information. Take additional appropriate measures as needed.
- Limit access to customer information to only those employees with a legitimate business reason to see it. Provide employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs.
Information Systems – Software and Business Networks
- Control access to sensitive information by requiring employees to use strong passwords that must be changed on a regular basis. Strong passwords should include at least six characters consisting of a combination of upper and lower case letters, numbers and symbols. Never use easily obtainable or discernible personal information as passwords such as dates, titles, spouse or child’s name, etc.
- Use password activated screen savers to lock employee computers after a period of inactivity. Take steps to ensure the secure transmission of customer information.
- Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access.
- When customer information is stored on a server or other computer, ensure that the computer is kept in a physically secure area and is accessible only with a strong password made up of eight or more characters, including symbols, spaces and punctuation if possible.
- Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information.
- Dispose of customer information in a secure manner.
- Look out for improper e-mail attachments and Internet download modules.
- Install, maintain, and apply anti-virus programs.
- Install and use a firewall.
- Remove unused software and user accounts; clean everything on replaced equipment.
- Create backup for important files, folders and software.
- Keep current with software updates.
Audit Procedures and Detecting Control Failures
Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
- Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information.
- Use an up-to-date intrusion detection system to alert you of attacks.
- Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user.
- Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or chargers.
Action Steps If Security Breach Occurs
It’s important to preserve the review files or programs that may reveal how the breach occurred. If data has or may be compromised, take action to prevent further damage such as disconnecting the computer from the Internet.
Additional steps include:
- Contact security professionals to help assess the breach as soon as possible.
- Notify customers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm.
- Notify law enforcement if the breach may involve criminal activity or if there is evidence that the breach has resulted in identity theft or related harm.
- Notify the credit bureaus and other businesses that may be affected by the breach.
- Research and comply with any additional breach notification procedures that may be required under applicable state law.
In summary, a business needs a security plan as much as it needs a marketing plan. A viable security plan can help avoid unnecessary monetary losses, negative publicity, and most important, help the business properly safeguard its customer information.
This document is made available by Sentry Insurance, a Mutual Company and its subsidiaries and affiliates (collectively “SIAMCC”) with the understanding that SIAMCC is not engaged in the practice of law, nor is it rendering legal advice. The information contained in this document is of a general nature and is not intended to address the circumstances of any particular individual or entity, nor the best practices applicable to any particular individual or entity. Legal obligations may vary by state and locality and best practices are unique to specific items and situations. No one should act on the information contained in this document without advice from a local professional with relevant expertise.