There is a constant drip of news about data security breaches, identity thefts and cybersecurity, to the point that it can become background noise. That is, until it happens to you, as I recently found out.
Several weeks ago, I got a call from the administrator of my 401(k) asking if I had requested another distribution from my account. Someone posing as me had managed to obtain a significant distribution from my 401(k) plan. They had my social security number and enough background information about me to convince the Plan Administrator to make the distribution. Coupled with the fact that they knew where to look for my 401(k) account, a data breach seems the likely source used by this particular criminal. This has become an all too familiar story for employers and other businesses in our current environment.
As businesses that routinely collect sensitive information from both customers and employees, auto dealers are attractive targets for data thieves. Every auto dealer should take a hard look at its current data security regime and ensure that they are taking adequate steps to protect both their employee and customer information.
This is particularly so here in Pennsylvania, given a decision by the Pennsylvania Supreme Court last fall. In that case, Dittman v. UPMC, the Pennsylvania Supreme Court established that an employer owes its employees a duty of reasonable care to protect their electronically stored information, and that UPMC was liable to its employees for breaching that duty.
While the Court in Dittman only imposed this duty on employers, it is not a stretch to see the Court extending its reasoning to other relationships where a business collects and stores personal information, and then fails (in the court’s opinion) to adequately safeguard it. Even without a Court extending the rationale in Dittman, several states have passed laws protecting their citizens from data breaches, and more are being considered by state legislators at present. In this digital age, auto dealers need to be sure that their systems are secure from both internal and external threats, and that they have taken all prudent and reasonable precautions to safeguard the data that they have collected.
Dealers rightfully depend on their DMS vendors to safeguard their data, but that may not limit the dealer’s liability. DMS contracts routinely disclaim any guarantee of data security. Further, they contain limitations of liability that purport to limit the amount the DMS vendor must pay in damages to the amount paid by the dealer under the DMS contract, or less. These provisions in the contract can make recovering for data breach losses more difficult.
Dealers need to be proactive in defending their customers’ and employees’ data. This includes using appropriate security software, adopting strong data security policies, and training employees on what steps to take, and what things not to do, to avoid a data breach. Employee training should be ongoing, and employee compliance should be monitored. The IT system, and all devices that interface with it need to be protected, including devices owned by employees.
In addition to all the preventative steps that a dealer takes, it is also necessary to have an appropriate breach response plan in place. Understanding how you need to react in the face of a breach can significantly lessen the damage that you suffer. You should also be sure that you are carrying appropriate and adequate insurance to cover losses you might sustain. Sadly, it seems that it is no longer a question of IF you will get hacked, but WHEN, as I can personally attest.