Consumer data privacy concerns are constantly in the news. Growing pressure on lawmakers to do something has resulted in a wave of new consumer privacy legislation being passed in many states.
California has passed the California Consumer Privacy Act (CCPA). A similar law is expected to soon pass in Washington state. Alabama, Louisiana, Colorado, Nebraska, Massachusetts and Ohio have recently added new data security standards to their data breach notification laws. You can bet that other states will follow suit.
These laws require that businesses take “reasonable measures” to secure consumers’ personal information, such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.
The definition of “reasonable measures” varies from state to state, but all of these laws highlight the importance of protecting your customer data. For most dealerships, becoming compliant with these laws is likely going to require upgrades to software, hardware and data security equipment, as well as the implementation of new policies and procedures.
Recently, the California Attorney General defined “reasonable measures” as compliance with 20 controls established by the Center for Internet Security. In a nutshell, if your dealership is located in California, you’ll be responsible for the following:
1) Inventory and control of hardware assets
2) Inventory and control of software assets
3) Continuous vulnerability management
4) Controlled use of administrative privileges
5) Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
6) Maintenance, monitoring and analysis of audit logs
7) Email and web browser protections
8) Malware defenses
9) Limitation and control of network ports, protocols and services
10) Data recovery capabilities
11) Secure configuration for network devices such as firewalls, routers and switches
12) Boundary defense
13) Data protection; encryption, integrity protection and data loss prevention techniques
14) Controlled access to data based on the need to know
15) Wireless access control
16) Account monitoring and control
17) Implement a security awareness and training program
18) Manage the security life cycle of all web-based or application software
19) Develop and implement an incident response infrastructure and management plan
20) Penetration tests and red team exercises to test strength of defense
Is your dealership taking all of these “reasonable measures” to protect your data from the threat of cyberattacks? If not, you might be subject to fines from your state attorney general’s office and/or litigation from consumers.
When it comes to protecting consumer data, dealers can no longer afford to do business as usual. If your state hasn’t already updated its data breach notification law or passed a consumer privacy law, it soon will. It’s up to every dealer to learn what their state’s data security requirements are, and proactively take steps to become compliant.