TIMONIUM, Md. — IT managed services provider Helion Automotive Technologies has issued proactive security recommendations for auto dealers who may be at risk of customer data breaches. The recommendations come on the heels of an incident that occurred last month and was widely reported in news outlets.

In February, a disgruntled employee with a CRM vendor circulated an email that appeared to be from hackers threatening to release sensitive information from millions of customer records. The data was purportedly taken from several dealerships’ dealer management systems (DMS). The CRM vendor quickly identified the employee, determined that no security breach had occurred, and that the data the employee had in her possession was benign.

“These dealers were lucky, because if this hoax had turned out to be true, they would be legally liable and could be on the hook for millions of dollars,” said Erik Nachbahr, Helion’s founder and president and an Auto Dealer Today contributor. “What this incident illustrates is how most dealerships do not understand the serious consequences related to a data breach of this nature and how ill-prepared they are to respond.”

If a hacker gains access to sensitive data in customer records, such as Social Security numbers and birth dates, the cost to a dealership could be in the millions. That figure is based on an average cost of $30 per customer record breached.

Even if a dealership’s CRM or DMS vendor is responsible for the breach of a dealership’s customer records, the dealership is legally liable for all resulting costs, which may include:

  • Local and federal law enforcement investigations
  • Computer forensic investigations
  • Business interruptions, including orders to close the dealership until the source and impact of the breach is assessed
  • Customer notifications and free credit monitoring for customers
  • Crisis management and public relations
  • Customer and class-action lawsuits
  • FTC action for noncompliance with the Gramm-Leach-Bliley Act and software copyright laws

Fortunately for dealers, Nachbahr said, these consequences can be greatly mitigated by creating a security plan that includes a response to customer data breach occurrences.

His first recommendation is that dealers should assign a point person in the dealership who will coordinate a planned response. The designee is typically a high-level financial executive, which in a dealership may be the CFO, controller or chief compliance officer.

The designee should have a written response plan that addresses each of the consequences listed in the bullet points above. The designee should also have a list of parties and contact information at the ready in the event of a security breach. Parties that need to be notified immediately include local law enforcement, the dealership’s attorney, cyberliability insurance provider and public relations/crisis management representative.

The customer data breach response plan should also include a protocol for notifying customers that their data has been breached, which is a legal requirement. Many states also have a legal requirement that will require dealers to pay for one or two years of free credit monitoring for the affected customers.

Nachbahr recommends that any dealer who does not have cyberliability insurance should get some immediately. The typical insurance policies that dealerships carry, such as property, liability and casualty insurance, do not cover costs related to data breaches.

Finally, dealers who don't have a crisis management plan in place, Nachbahr recommends they create one. Costs related to litigation and compliance violations can be greatly alleviated if the dealership responds publicly, immediately and in an appropriate manner.

Nachbahr further noted that the likelihood that a given dealership will experience a customer data breach is high. In the last 12 months, 71% of small to mid-size businesses reported a security breach, according to a July 2016 report titled IT Security at Small to Mid-Size Businesses (SMBs): 2016 Benchmark Survey. Companies with fewer than 500 employees proved the most vulnerable with a 75% breach rate.

“Dealers need to realize this is an imminent threat, and that it’s not if, but when this will happen,” he said. “Having a security plan in place is pretty much expected for every business in every industry these days, but, unfortunately, we find that many dealerships don’t think about it until it’s too late.”