Just in the past few weeks the Internal Revenue Service announced hat over 700,000 more tax return accounts were just hacked exposing sensitive data and tax return information. What is even more interesting is that the IRS system that was hacked was designed and put into place to prevent hacking into the system in the first place!
Every month we hear that our personal information is being exposed and used by criminals for gain. This month’s blog is on dealership data security. I will give you some common sense tips on how to protect your dealership data and more importantly that of your customers.
It was Warren Buffet who said that it is only when the tide goes out do you find out who has been swimming naked. On a similar note we in the powersports industry tend to be the last to adopt best industry practices until something bad has happened to us. It’s sad and often true.
Dealership’s are required to help fight identify fraud by being in compliance with various federal and statement government mandates including the Red Flag Rules.
What are Red Flag Rules? By now you should be very familiar with them but in a nutshell Red Flag Rules require many businesses, including dealerships, to implement a written Identify Theft Prevention Program designed to detect the warning signs of identity theft in their day-to-day operations. This includes both physical data and electronic data. The Federal Trade Commission or the FTC administers enforce the Red Flag rules. Violations are set a minimum of $3500 per occurrence. (FTC.Gov)
Over the years I have been in literally hundreds of powersports dealerships and trust me we as an industry are not taking these compliance rules seriously. I see unsecured areas where sales deal jackets are just lying around with sensitive customer data in them — including credit reports! Just in the past few months I have seen at least 50 simple violations that could be quickly add up to $175,000 in dealership fines easily. Can you afford this type of financial risk and exposure?
If you have a written Identity Theft Program already devised and in place make sure you revisit and audit it yearly. Make the appropriate changes as the environments of dealerships, as well as the industry as a whole, are constantly in flux.
And lastly, if you have such a policy in play, make sure that you are doing what your policy states that you are going to do. Having a written Identity Theft Program already in place helps you minimize dealership risk, but if you do not do what your policy says you’re going to do you are increasing your risk of identify theft violations and potential exposure.
The above are just some of the “physical” violations that I have witnessed. Then there are the violations that I find within a dealer’s dealer management system. For example, in a lot of dealerships system security is lax and after set up it is never looked at again.
One suggestion I have is to review your DMS security often and have a written plan for doing so. Only designated “system administrators” should be permitted into any system set up area within your DMS. Go through every option that your DMS allows you to secure and ask yourself “Does this employee need this function to do their daily job?” If the answer is no then lock it down!
All accounting modules should be pinned down with the utmost care.
I do not feel that system administrators, except if it is the office manager or controller, should have access to the accounting/general ledger system. By limiting access you are implementing good control over your books and records and minimizing risk.
I also suggest that you never store your customer’s credit card information in your DMS under any conditions. If you accept phone orders always run a customer's credit card information with them on the phone reading it to you. You are protecting yourself against fraudulent charges as well as protecting the customer. When doing system security audits by job function I always find customer’s credit card information tucked away somewhere within their DMS. It’s a big risk and not worth it.
Another area in your system that has a high amount of sensitive customer data is the sales deal both on paper as well in your DMS. Make sure you lock out employees that do not need regular access to this information. Also remember to lock up any reporting functionality that could allow an employee to access sensitive customer information and dump that data to a report or export it electronically. Protect your valuable customer lists. I have seen employees steal customer sales lists before they quit their job at the dealership compromising your dealership’s internal controls and exposing you to risk.
On a related note, if you use third party vendors and they access your data, ensure that they have a data security policy plan in place and find out exactly how they are going to be using your customer’s data. Also, if you have other individuals or employees that access your dealership’s networks or DMS remotely make sure you have secure monitoring systems in place to make sure the wrong people do not access your dealership’s data from afar.
Whew! That’s a lot of information to digest in a blog correct? I know, but I am only trying to get you to start thinking about your dealership’s data security. It’s important for so many reasons — specifically having good internal control. After all, you lock the dealership down tight every night before you go home, so you should also be locking the doors on your data as well.
Forrest Flinn, MBA, PHR, SMS has been in the motorcycle industry for nearly 20 years and has been a true student and leader serving in various capacities. He previously worked as an implementation consultant for Lightspeed and as a general manager with P&L responsibility for a large metro multi-line dealership. Currently Forrest is the managing partner and chief visionary for a consulting firm that specializes in outsourced accounting, human resources, social media strategy, dealership operations consulting and Lightspeed/EVO training.