Whenever a factory repurchases a dealer’s franchise, it always wants a computer readable copy of the dealer’s customer information. Dealers often ask why, since the factory already has information on every customer who bought a new car. There apparently are reasons for this (the factory does not have used car buyer information, the information it has may not have the breadth of information carried on the dealer’s system, and others). But whatever reason, the factory sees this information as so valuable that it will generally not do a deal to buy back a dealer’s franchise for which it pays hundreds of thousands or even millions of dollars without receiving this information.
So what does that tell us about your customer information? Simply that it is part of the six or seven figure goodwill value of your dealership. You would not leave hard assets, like cars or cash, of this value lying around unprotected in an unlocked space for anyone who wants to come in and make off with them. You protect these valuables very carefully. So why is it any different with your customer information?
Under the FTC Safeguards Rule, you must have physical security for your data kept in tangible media such as documents and files. That is why dealers, when the Safeguards Rule became effective, spent substantial time and money making sure that file cabinets were locked, the general office was secured, and locks were installed on F&I office doors, among dozens of other protections.
Similarly, under the Safeguards Rule you are required to provide computer security for your data kept and transmitted electronically. Your computer vendor can help provide online security for this data. Your system should not provide open access to customer data to every authorized system user. That is not just a requirement of the FTC Safeguards Rule, it is also good business sense and good common sense. Just because employees have the authority to look up service tickets, or selected deal information, they should not have the opportunity to access or to start downloading all other information. Your computer vendor should help with that.
However, there is one vulnerability that may be overlooked for your electronic data – physical security. A recent lawsuit filed in Pennsylvania between two law firms is instructive in this area. Earlier this year, a partner in a law firm decided to leave his firm and take his practice to another firm. Knowing that the firm he was exiting could object and might seek to block him if he took files, he allegedly went in after business hours with a tech savvy friend. The friend hooked up a portable hard drive to the firm server and downloaded hundreds of thousands of client documents. The firm he left was not amused when it found he took these files to his new employer. It sued the attorney, two other firm employees who left with him, his techie friend, and the hiring law firm. As this is written, the battle is going on.
So what should one take from this? Some dealers have not migrated to cloud-based DMS systems; they still have servers on the premises. The server may be in an equipment room that is left open so that employees may access the server or other equipment in the room. If many people can access it, so can an employee with a portable hard drive intent on no good. All server equipment must be locked up and secured.
In addition, in cloud-based systems, full access may be available from any computer on the system by someone using the proper credentials. Dealer managers, such as the General Manager or the Controller, who have full access to the system should have their computers in offices that are locked and secured. Passwords or other log on keys should never be left in plain sight (a sticky note on a monitor screen) or where a thief would expect to find it (in desk drawers or under a desk blotter near the computer).
Computer security has come a long way, but basic physical security measures for computer equipment and access are still important