6 questions to ask about your data security processes


Security for dealers and finance companies nowadays involves much more than just locking vehicles, the showroom and front door each night.

In fact, EFG Companies recently highlighted that data security is one of the largest areas of concern in 2018 for dealers, finance companies and their partners. According to the Identity Theft Resource Center and CyberScout, 1,579 data breaches occurred in 2017, representing a 44.7-percent increase year-over-year.

While retail automotive has been regulated under the Safeguards Rule of the 1999 Gramm-Leach Bliley Act, EFG Companies insisted that digital data was not considered an important area of focus until recent years.

This risk is driven in part by the rise of digital technology in the automotive market. From wirelessly connected cars to digital customer relationship management systems (CMS), data access points have increased exponentially.

A recent Frost & Sullivan report indicated that IT spending in the connected automotive market is projected to increase 17.3 percent from 2015 to 2025. However, the industry is just beginning to address how to protect private consumer information in a digital environment.

In the physical realm, it takes less than one minute and three pieces of information for a motivated thief to execute a security breach at a retail automotive dealership. In the digital realm, a computer hacker can gain access to payment processing software in seconds, grabbing data and exiting before the dealership is aware of the breach.

According to a 2017 study commissioned by IBM, the average cost of a single stolen data record is $141. The average total cost of a security breach was $3.62 million. The average probability of a company suffering a security breach within the next two years is 27.7 percent. 

“Machine learning and sophisticated hacking software will make data security an even more important component of the retail automotive sector,” said Maurice Hamilton, vice president, technology at EFG Companies.

“For example, we believe any company processing credit cards should complete PCI DSS compliance. Within three years, companies should also implement two-factor authentication. Granted, implementing data security technology is an expense. But, as research has shown, companies cannot afford a breach,” Hamilton continued.

Achieving data security

A study of more than 10,000 consumers by Gemalto revealed that 70 percent of consumers would stop doing business with a company if it suffered a data breach.

Furthermore, 69 percent of consumers believe that companies do not take consumer data security seriously.

EFG Companies recommends companies in the retail automotive buying chain utilize the acronym ADRIFT to ask the following questions as the first step in achieving data security.

1. Have I conducted a complete security risk assessment, including all access points and partners?

2. Does my written information security program document include procedures for each department that handles digital and physical consumer data?

3. Have I reviewed all reasonably foreseeable risks that could result in unauthorized disclosure or compromise of consumer data? Am I protecting customer information from collection to disposal?

4. Have I identified a designated person responsible for customer information security, with authority to implement the program?

5. How do I foresee manageable risks that could result in unauthorized disclosure of private consumer information? For example, am I overseeing partners that might have access to, or take possession of, customer information? Do my agreements with these partners require them to implement appropriate safeguards?

6. Does my company have sufficient training, oversight and procedures for securing private consumer data?

“From vulnerable photocopier hard drives to digital CRMs, we believe digital data security should be a key business objective for every retail automotive dealer, lender and partner,” said John Pappanastos, chief executive officer and president of EFG Companies.

“While important, simply locking a file cabinet or putting a screen protector on a monitor is not sufficient. We are calling on all participants in the retail automotive chain to lock down their data,” Pappanastos went on to say.