The Other Shoe Just Dropped

“Waiting for the other shoe to drop” is an expression used when two bad things are expected to happen, one after the other. Ever since the FTC’s Safeguards Rule was announced a few years ago, which was the first “bad” thing, I’ve been waiting for a second, and in my mind inevitable event, which is someone in our industry having an incident that brings scrutiny upon everyone else.

THE CYBER ATTACKS ON CDK

In my view, the cyberattacks (believed to be ransomware) on CDK Global, a leading provider of dealership management software, is such an event. The other shoe has now dropped, and dropped quite loudly. It may have even put a hole in the floor.

At this point it’s unknown whether any personal identifiable customer information was obtained by the CDK attackers, but the fact that the attacks forced the company to shut down many of its systems, which resulted in thousands upon thousands of dealerships halting sales and causing other disruptions to business, has grabbed nationwide headlines. In my view, it’s inevitable that the FTC will dig into this event to determine whether the company’s cybersecurity efforts and Safeguards systems were sufficient.

I don’t think they’ll stop there, either. I think that the FTC will want to dig deeper and look into the company’s dealership clients, how they were impacted, and whether they conducted proper vendor management and performed due diligence on vendors, as the Rule requires. The bottom line, in my mind, is that the FTC now has all the reasons it needs to “look under the covers” of vehicle sales and finance companies, service providers, and other industry participants.

A CALL TO ACTION

Consider this a call to action. For those of you that have taken the Safeguards Rule seriously, good for you, but I challenge you to ask yourselves whether you’ve been keeping up with your efforts as your business practices have evolved over the past few years. It’s time to confirm that your data protection is robust, that your employees are being adequately trained, and that you have robust incident response plans. If operational changes have taken place since you implemented your Safeguards policies and practices, then it’s time to update your content and stay on top of your business.

For those of you that have chosen, either intentionally or not, to not invest in Safeguards compliance, I implore you to reconsider your approach in light of this development. I’ll be candid, I talk to lots of dealers, and I think many fall into this bucket and take a “we’re too small” or “how are they going to find out” approach. That way of thinking is a tremendous risk. Are you willing to bet your business on it?

Whether your IT function is in-house or you outsource this work, now is the time to have a candid conversation with your subject matter experts and find out if they are truly up to the task. In my experience, most IT professionals are great at hardware and system infrastructure, but not everyone has cybersecurity expertise, which is necessary to formulate a defense and protect your business. As part of your review, take a look at the following:

1. Security Assessment: Assess your current cybersecurity measures and look for vulnerabilities. I know of a multiple store dealership that suffered an incident because of one vulnerability. It’s important to understand all of the hardware you’ve deployed, who has access and how. Be sure that you have a process in place to recover laptops, I-pads and phones from terminated employees and turn off their system access.
2. Protect your Data: Be sure to implement robust data encryption that all business data is protected both in transit and at rest. I realize that dual factor authentication takes time and is inconvenient, but dealing with breach issues is even worse.
3. Employee Training: Your personnel is your first line of defense. Be sure to provide them with training on data protection and best practices. I’m a fan of phishing tests to identify those most likely to open an errant email. Make sure that your entire team uses their own passwords and usernames and aren’t sharing any to save a few dollars on a software license.
4. Have an Incident Response Plan: The Safeguards Rule places the burden on you to have an Incident Response Plan where you outline the steps you’d take if there was any sort of breach of security incident. It’s well worth the effort to plan ahead.

THE BOOGEYMAN IS REAL

It’s time to drop what you are doing and make Safeguards Rule Compliance a priority. The Boogeyman does exist, and has the powers of investigation and enforcement, thousands of employees, and a big war chest behind it. The recently effective amendment to the Rule that mandates that breaches of 500 or more unencrypted records must be reported to the FTC means that even small companies suffering an incident must self-report and a failure to do so can truly break a business.

The CDK security breach should serve as a wake-up call for the entire auto sales and finance industry. Even the smallest stores have lots of personally identifiable information, which makes them an attractive target for the “bad guys”. You’ve solicited the customer’s data, and it’s your duty to protect it. The costs of failing to do so can be staggering and can include economic damages, reputational risk, and regulatory and legal scrutiny.