How to Comply With New FTC Safeguards Rule

In an era when data is a business’ lifeblood, Reynolds and Reynolds Chief Information Security Officer Nikhil Kalani has been the guardian of a high-stakes ballgame.

The digital-evolution leader, who helps create products to enhance dealership data security, observes that the strategy in the game is harder than ever. Hacking, he says, has evolved from people infiltrating personal computers to organized groups breaching entire company systems.

The stakes are different, too. “A decade ago, we might have seen a ransom demand of $250. Now they ask for millions of dollars.”

The high-stakes Kalani describes led the Federal Trade Commission to update its Safeguards Rule, the result of which took effect last June. The new rules strengthened protections for consumers’ information maintained by nonbanking financial institutions, from mortgage brokers and payday lenders to automotive dealerships.

The agency then proposed a supplemental amendment to the rule that would require financial organizations to report data breaches and security events to the FTC. In October, the agency amended the rule to include nonbanking financial institutions within its jurisdiction. Now those institutions—including auto dealerships—must report data breaches affecting 500 or more people.

“Before this change, a dealership might have had to report a breach to state regulators. That’s a pretty common requirement in most states,” Kalani says. “The new requirement adds in federal reporting directly to the FTC.”

What the Amendment Says

Dealers can refer to the revised rule for specifics, but Kalani says the focus is on “notification events,” which the FTC defines as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”

The FTC further defines a notification event as one that “involves the information of at least 500 consumers.” In those situations, the covered entity—for our purposes, an auto dealership—must notify the FTC “as soon as possible, and no later than 30 days after the discovery of the event.”

An FTC statement on the new provision, which is scheduled to take effect on May 13, says the notice must include:

• The name and contact information of the financial institution
• Description of the information involved
• The date or date range of the notification even
• The number of consumers effected
• A general description of the notification event

“The FTC has provided a web-based form to fill out,” Kalani says. “The form itself is not overly complex. It asks some basic questions about the breach and its scope, the number of customers impacted, and provides a place for additional information. The complexity comes into play after dealerships make a report.”

While Kalani can't speak for the FTC on notification handling, past actions can offer insight. He says that historically, the FTC conducted an investigation after a sizeable data breach and if it found security lapses, set security requirements for the organization.

“Historically, they asked for further reporting up to 20 years,” he says. “So, not counting the fines they might issue, a dealer must be prepared to report to the FTC for 20 years.”

The FTC has also required inspections by an approved third-party auditor every other year to ensure organizations meet the new security provisions. It has asked for the first audit report, and any of the future reports thereafter, for up to 20 years.

Prevent Breaches First

FTC reporting may be straightforward, but the aftermath might not be. To avoid future problems, Kalani suggests establishing a robust security posture, for which he recommends three steps:

1. Develop a security culture. “This begins at the top, with leadership recognizing the value and promoting it to staff.
2. Put employees through regular security-awareness training. Training should evaluate how employees respond to diverse types of attacks, such as phishing, where hackers contact targets by email, phone or text message to lure them into providing sensitive data, including banking details or passwords.

 “Most breaches begin with an email that an employee clicked on, which gives a foothold to an attacker,” Kalani says. “In fact, over 95% of all breaches begin by email. Dealerships need to test employees' security awareness and reward the best performers and give extra attention to those taking security risks.”

Working with a partner offers a consistent approach to gauge the security awareness of every employee. The companies can simulate cyberattacks to test employees and provide performance statistics to the dealership.

1. Put technical protections in place. Kalani says this comprises security protections for email systems, personal computers and company servers, with continuous year-round monitoring. “Monitoring is critical,” he says. “These attacks usually happen on nights, weekends or holidays, times when a dealer’s own IT staff may be minimal, so dealers want to work with a partner who is available during those times. Also, email security needs to be given a high priority, and of course, frequent and reliable data backups.”

Reynolds and Reynolds protects customer data through its security operations center, which focuses on threat intelligence, or what hackers are up to, to keep pace with the latest hacking techniques and tools. It monitors the systems and networks at dealerships. And when a cyber event occurs, Reynolds says the center promptly responds to address the situation.

Pick the Right Partner

Picking the right partner hinges on knowing the difference between compliance and security, according to Kalani.

“Dealers often think security and compliance are the same thing,” he says. “They are related, but they are not the same. A dealership that is compliance-motivated might pick a partner whose skill set is fixed on compliance. But that won’t stop hackers.”

He explains the difference with an analogy: A car that’s road-legal can be driven on the road. It is a compliant car. However, that doesn’t mean it’s designed for safety or dependability, which requires “a different class of vehicle.”

Dealerships need a cybersecurity-focused technical partner to safeguard their data. The partners can help them establish a robust security foundation across systems, networks and data management, then layer on the right security tools, monitoring and training.

“Once you have strong technical cybersecurity, building in compliance is easy,” he says. “You are already doing the right things.”

He shares an example of how that might look in a dealership. Dealers need formal information security policies, but policies are documents that may sit on a file share or get published. Having policies, he says, doesn’t stop hackers.

“It’s about the implementation quality of the policy,” he says. “The policy describes what actions are needed, but you need to make sure the actions taken are of an appropriate quality. That’s data security versus compliance.”

In order to improve cybersecurity, some dealers may need to invest in technology. Many dealers haven't kept up with their technology investments and are now in technical debt, Kalani says.

“These dealers may need to do some projects and implement new tools to catch up. They may need to upgrade their systems to establish a good baseline.”

Upgrading security and monitoring it once systems and policies are in place will help keep data secure so dealers might avoid a breach entirely, he says.

How Hacking Has Evolved

Hacking has evolved beyond the stereotypical teenager in his or her parents' basement. It’s now an organized crime network bent on destruction, according to Kalani.

Here’s how he describes the face of hacking today.

• It’s organized. The criminal network functions as companies, complete with supply chains, employee handbooks, and vacation policies. Nearly two decades ago, it mostly involved individuals attacking a single PC at a time. Now gangs are involved. The rise in bitcoin and other digital currencies made financial transactions harder to track, causing a rise in ransomware attacks.
• It’s specialized. One hacking organization might focus on getting a foothold in a network to sell access to another group. A second group might purchase access, then work to infiltrate the entire network. A third entity might carry out data exfiltration, encryption and pass on the attack to a fourth group for ransom negotiations. “It operates like a modern company where each team, or gang, in this case, focuses on what they do best,” Kalani says.
• It's expensive. A report by IBM and the Ponemon Institute puts the average data breach cost for businesses with fewer than 500 employees at nearly $3 million, and the average cost per breached record at $164. The figures exclude additional regulatory fines or costs to get back online.
• It takes a long time to recover. Recovery can take weeks and typically requires a vendor that may bill by the hour. Recovery is made much harder there are no reliable backups. Ransomware gangs typically search for backups on the network and attempt to destroy them.

Ronnie Wendt is an editor at Auto Dealer Today.

DIG DEEPER: How to Fight Fraud and Ramp Up Compliance

Originally posted on F&I and Showroom