State and federal law requires auto dealers to protect their customers’ non-public private information (NPPI), such as email addresses, mailing addresses and financial information. And dealers have their own sensitive and confidential information, e.g., financial information, projections, customer lists and lease return dates, all of which may have value by virtue of their being secret from their competitors. Much of this information is stored in the form of data, which is vulnerable to data security threats, including, among other things, hacking, theft of customer information and risks caused by vendor access to the Dealer Management System (DMS). Dealers should, by now, be very familiar with these risks and ways to combat them. But newer risks have surfaced in the last few years, e.g., spear-phishing and ransomware, that require updates to safeguards policies and other actions and vigilance to effectively combat. This article discusses these new threats and best practices to protect against them.
According to Symantec Corporation’s 2016 Internet Security Threat Report, “spear-phishing campaigns targeting employees increased 55 percent in 2015.” Dealerships are not immune to this threat, either, as 43% of all spear-phishing attacks last year targeted companies with less than 250 employees. Meanwhile, ransomware attacks increased by 35% in 2015. And employee use of smartphones in both personal and professional lives increases mobile threats. Understanding the devastating impact of attacks on a dealership is vital to creating and implementing a complete information security program to monitor and enforce protections against these sorts of threats.
What is Spear-Phishing?
In spear-phishing campaigns, the hacker researches targets by culling information about the target from publicly available sources such as social media, LinkedIn, company websites, and other sources so as to focus their efforts toward particular units or individuals within an organization. Attackers attempt to learn about the company structure, the names and roles of various personnel, and the contact information for said personnel. The culling of specific information adds an extra layer of legitimacy, which is often lacking in a more broadly aimed attack. Automotive dealers are particularly enticing targets because of their retention of vast amounts of valuable customer information. Once attackers make contact with individuals within a company, they could attempt to either out-right collect information from their targets or infect the target’s system with tracking software, Trojans, or other malware. While some employees are savvy enough to cast a critical eye on potential phishing emails, spear-phishing is not as easy to detect.
What is Ransomware?
Ransomware is a singularly insidious type of malware that has increased in use over the past year, wherein a device or system is locked unless the user pays the ransom amount. Sometimes these messages will pop up with claims that the Federal Bureau of Investigation discovered child pornography or terrorism-related materials on the victim’s computer; the user will then be told they must pay a fine or face arrest. Other variants, known as crypto-ransomware, will use a key-based encryption system to make retrieval of this data impossible without the special key in the possession of the thieves. “One crypto-ransomware tactic that seeks to increase the pressure on victims to pay-up, threatens to destroy the only copy of the secret key after a certain time, with the encrypted data potentially lost forever.” Depending on which systems or machines become infected, the cost to the victim company can be devastating.
The Mobile Device Factor
Phishing, ransomware and other malware attacks are not limited to computer work stations and servers; smartphones, i.e., Apple iOS and Android devices, pose significant risk. Attacks range from transmitting data contained on the mobile devices, to holding the device hostage, or tracking valuable information. In addition to relying upon malware-infected programs and phishing, attackers also rely up operating system and API exploits, malware-embedded advertising on mobile web and ad-supported applications to gain access to valuable information from the user. While the risk of downloading an infected application has traditionally been more frequent on Android phones and jailbroken iPhones, threats have increased in non-jailbroken iPhones. Finally, an added threat unique to mobile devices is the potential carelessness on the part of employees in simply losing or misplacing their devices.
Information security best practices to incorporate into your Safeguards Program:
- Designate an information security coordinator. The coordinator is responsible for overseeing the Information Security Program, which should be a part of your Safeguards Program.
- Conduct a Risk Assessment. The assessment covers all dealer operations to identify reasonably foreseeable risks, both internal and external, to the confidentiality, security and integrity of customer (and dealership) information. At a minimum, the assessment should evaluate information systems, employee training and management, and system failures.
- Information Security Policies. Create or update existing policies to address the safeguarding of customer (and dealership) information by employees, consultants and outside service providers, and needs of the program.
- Information Security Program and HR. Integrate the Information Security Program with HR policies, background checks and the employee handbook.
- Training. Provide training to new and existing employees, consultants and service providers who have access to customer (and dealership) information on safeguarding and the program policies. Internal communication to dealership employees must be habitual. Regular training should be provided, particularly because the type and nature of these attacks and risks change frequently. In addition to safeguarding, the training should consist of “common sense” training on suspicious emails, basic IT safeguards, malware and mobile phones:
- Employees should be trained to spot suspicious emails and to avoid the opening attachments and links to said suspicious emails - even if the emails appear to come from people they know.
- Directing IT to block domain names once a suspicious email is received by an employee.
- Prohibit employees from responding to any such emails with personal or company information, passwords, customer information or financial information of the dealership in response to any such emails.
- Disable the tracking of cookies and other methods by which outsiders can monitor system activity.
- Establish password protocols to ensure that system and user passwords are sufficiently “strong” and regularly changed.
- When an employee with access to important programs or systems is no longer with the company, the passwords related to those programs and systems should be changed.
- Use a plugin for web browsers that block ads. This can help limit potential exposure to malicious, compromised, or otherwise vulnerable banner and pop-up ads.
- To protect against ransomware, ensure that all software application used by employees are up to date – this includes everything from endpoint security software to browser plugins and productivity applications.
- Maintain a proper backup policy that includes saving multiple prior backups. This serves two vital functions: first, it ensures the system can be restored with minimal loss; second, it protects the backup itself from also being compromised by the ransomware. It is nearly impossible to recover data from crypto-ransomware.
- Monitoring & Internal Auditing. Regularly monitor and audit for program effectiveness of safeguarding systems and procedures to ensure all safeguards effectively control the risks identified in the risk assessment.
- External Auditing. Consider utilizing a “white-hat” hacker to test the effectiveness of your safeguarding program. Update and create new policies in response to audit results.
- Limit Third Party Access. Oversee vendors and consultant access to customer information.
- Insist on additional insured certificates naming the dealership.
- Insist on indemnity and confidentiality agreements.
- Require vendors to maintain their own Information Security Program.
- Insurance. Ensure the dealership has its own cybersecurity insurance endorsement – this endorsement is typically a separate endorsement and not commonly included with general commercial liability, garage or E&O insurance policies.
Forewarned is forearmed. Data protection is a complicated compliance area and one that dealers and automotive attorneys alike will need to grapple with as the threats dealers face continue to become more sophisticated and dangerous.
 Source: Symantec Corporation, Internet Security Threat Report, Volume 21, April 2016, Page 6.
 Id. at Page 58.
 Id. at Pages 10-15.