F&I and Showroom, February 2015

Letter From the Editor The more dealers venture online to capture sales the more they put themselves at risk of a data breach The editor shares some insights he picked up during this years Vehicle Finance Conference By Gregory Arroyo D ata security is the focus of this months cover story It was also the focus of a panel discussion at the American Financial Services Associations 2015 Vehicle Finance Conference which was held in San Francisco last month directly ahead of the 2015 NADA Convention Expo The panel Protecting Your Customers Data included Tony Buffamonte principal in KPMG LLPs advisory services practices Boulton Fernando chief information security offi cer for Toyota Financial Services Kristen Mathews who heads up the privacy and data security group for Proskauer Rose LLP and Brad Miller associate director of the National Automobile Dealers Association NADA s legal and regulatory affairs department Much of the discussion centered on how fi nance sources can protect their data But what brings that threat down to Main Street is the fact that dealers collect the same personal data fi nance sources spend millions to protect That realization brought to mind a quote that appeared in a July 2011 cover story on Honda of Tenafl y N J The one thing I dont like about the Internet is that it nickel and dimes you said co owner Norman Dorf I mean were spending a fortune between all the different technology companies I know Dorf wasnt referring to data security when he made that statement but according to the NADAs Miller its those expenditures that are putting dealers at risk today The No 1 issue is dealers rely so heavily on service providers he said noting that 40 of the associations 16000 members are 6 F I and Showroom February 2015 dealers who sell 300 or fewer vehicles per year folks that dont have IT staff Miller added Dealers are swimming in relatively deep water he said They try to hire competent service providers but they need to monitor these folks Miller was part of the team that drafted the 14 page data security memo the NADA distributed in August 2013 It warned among other things that regulators such as the Federal Trade Commission FTC may consider third party vendor access to transaction data stored in a DMS as sharing which is prohibited by the Gramm Leach Bliley Acts Privacy Rule And its guilt by association if one of your vendors gets hacked and the data it collects from you is compromised Dealers have really put a ring fence around what theyve done internally with the way data fl ows Miller said By necessity you expose all of this to a bunch of thirdparty service providers Thats what the federal government agencies have opened their eyes to Now if you havent conducted a little research on incident response vendors identity theft companies and even public relations fi rms you need to get on it As the panel noted you wont have much leverage if you negotiate pricing and terms after you suffer a breach You also need to develop a written policy detailing how your organization intends to protect your customers nonpublic personal information NPPI Regulators will treat you much better if you do at least according to members of the panel The fi rst thing you need to do is conduct a risk assessment to identify what KPMGs Buffamonte called your organizations crown jewels for dealers its all that NPPI you collect You also need to gather as much threat intelligence as you can which associations like the NADA can help with In addition your policy manual needs to address how you intend to notify regulators and your customers if there is a breach Reach out to regulators before they reach out to you Miller warned Itll make a difference in how theyre going to treat you But do it at the same time youre ready to go public But before going public Proskauer Roses Mathews recommended fi rst shoring up the vulnerability If you dont the initial message will likely have inaccuracies she said Thats what happened to TJ Maxx when it experienced a breach in December 2006 The company went public a month later Unfortunately when the communications offi cer responded to a question about the size of the breach she said the number of records compromised was less than one million Three months later it was discovered the breach may have compromised 40 million records Mathews said And when that happens the scrutiny intensifi es Finally as TFSs Fernando noted Cybersecurity is not a technology problem not the offi ces problem its everyones problem In other words those phishing emails that land in your inbox represent a real threat as youll read in this months cover story It starts on Page 14 Risk Assessment