Note: This post was created prior to the implementation of the CCPA. The law is now in effect as of January 1, 2020. Keep reading to learn more about CCPA compliance and how your dealership may be affected.

Consumer privacy concerns are sweeping the nation and lawmakers are taking notice.

In the first six months of 2019, the number of data breaches has increased by 54% compared to the same time last year. As of July, more than 4.1 billion customer records have been exposed in approximately 3,800 publicly disclosed data breaches.

The business sector is responsible for 67% of reported breaches and 85% of exposed records. Data breaches are happening on an almost daily basis, exposing customer addresses, passwords, credit card numbers, social security numbers and other sensitive information.

Recent notable breaches include:

The City of Baltimore’s computer systems were infected in May with an aggressive ransomware called RobinHood. Although the city did not pay the ransomware, the resulting chaos has racked up more than $18 million in damages.

In late July, Capital One was hacked, exposing 100 million records including credit card applications. This is one of the largest data breaches in history with potentially devastating consequences.

Bulgaria’s National Revenue Agency was recently hacked, compromising the information of 5 million out of Bulgaria’s 7 million citizens. The hackers later sent a message to the Bulgarian media declaring “The state of your cyber security is a parody.” Imagine the consequences if this happened to your business.

According to one report, an unauthorized person accessed NASA’s Jet Propulsion Laboratory. The hacker went undetected for 10 months and acquired highly sensitive information from many critical and confidential projects.

Quest Diagnostics and LabCorp. These two clinical laboratories were both hacked in June, exposing a combined 19.6 million medical records and personal information. In fact, 2019 has been a horrible year for customer privacy in the medical industry, with breaches occurring on an almost weekly basis.

First American Financial was hacked in May, exposing 885 million sensitive records including bank account numbers, statements, mortgage information and tax records.

Facebook recently admitted that 600 million user passwords have been stored in plain text and could easily be accessed by its 20,000 employees. If you use Facebook, change your password.

Consumers Demand Protection

Many people still have an image of “hackers” as teenagers in basements, but this stereotype is inaccurate. The vast majority of today’s hackers are employed by large criminal or state-backed entities. These organizations use sophisticated strategies and systems to carry out cyberattacks worldwide. Although cybercriminals are located all around the world, most activity originates from Russia, China, North Korea and Brazil.

Understandably, consumers are increasingly fearful about the consequences of their personal information being stolen. Identity theft is a growing problem, with 33% of U.S. consumers reporting some form of credit card fraud or identity theft. In the next few years, experts estimate that cybercriminals will steal $6 trillion from U.S. consumers and businesses.

Once stolen, personal data is typically sold on the dark web to criminal organizations that are willing to pay from $10 to a few hundred dollars per identity. One successful data breach could net perpetrators millions of dollars. Because it’s so lucrative, cybertheft is a rapidly growing industry.

Cybercriminals use personal data to take over bank accounts, commit credit card, tax and mortgage fraud, steal identities and scam vulnerable consumers.

Across the U.S., growing consumer demands have motivated lawmakers to take action in order to drive businesses to be better prepared for cyberattacks. Although every state in the U.S. has a law that impacts how businesses must report data breaches, most experts agree these laws don’t do much to prevent data breaches in the first place.

To address this challenge, as of July 2019, 20 states have drafted or passed consumer privacy laws.  The most notable example is the California Consumer Privacy Act (CCPA), which requires businesses to take “reasonable measures” to protect consumers’ personal and private information.

The CCPA applies to most auto dealerships in California. Dealerships store vast amounts of personal information from consumers, including names, phone numbers, email addresses, home addresses, credit card numbers, social security numbers and other financial information.

Dealerships Need to Take Action

The CCPA takes effect in January, 2020. Unfortunately, becoming compliant is not as simple as installing antivirus software and calling it a day. The California Attorney General has defined “reasonable measures” as 20 Controls issued by the Center for Internet Security (CIS).

To become compliant, California auto dealers will need to implement these 20 controls, which include appointing a security officer, creating a cybersecurity plan and providing security awareness training to employees. Depending on the state of the IT network, it may also include upgrading network equipment, computer hardware and software.

Although compliance will take time, money and effort, the CCPA is forcing a much-needed evolution in dealerships’ information technology (IT) practices.

The first steps to become CCPA compliant are:

• Understand where your current IT environment falls short of CIS 20 controls. Order a gap analysis, also known as a Risk & Vulnerability Assessment, from a recommended IT services provider.
• Create a prioritized remediation plan that fills gaps identified.
• Implement the plan. Seek help if you are shorthanded. The clock is ticking and time is of the essence.
• Maintain compliance with ongoing management. IT isn’t static and it’s easy to fall out of compliance if things aren’t routinely managed and monitored.

Compliance with the CCPA by the January deadline requires a sense of urgency and a detailed plan of action. If your dealership hasn’t yet taken steps to protect consumers’ personal information, you may be vulnerable to a data breach and subsequent lawsuits in 2020.