A recent news story puts Data Loss Prevention (DLP) issues into real-world focus. According to this report, a fired dealership employee allegedly tried to extort his former employer by threatening to release customer data – more than 1,000 R.O.s that the employee had downloaded onto a thumb drive from the dealer’s system – if the dealership didn’t give him more than a year’s worth of pay. A tough story to be sure, but one that could have been avoided by detecting and preventing that download from ever happening in the first place.
One of the least understood obligations under the revised FTC Safeguards Rule is the obligation to “[i]mplement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.” (16 CFR 314.4(c)(8)).
That’s a bit complicated, but basically, it means dealers must take steps to keep track of the activities of all individuals who are authorized to use their systems, including employees, vendors, and anyone else authorized to access dealer systems or data. The FTC notes that this includes monitoring for “anomalous patterns of usage of [dealer] systems,” as well as using “logging to ‘monitor’ active users and reconstruct past events.”
The primary goal of this requirement is to prevent authorized users from improperly accessing data, ensuring it is not lost or misused. Unlike detecting breaches by unauthorized external parties, it is looking for people who are authorized to access the system (employees or authorized vendors) but, because of some activity, may be putting data at risk – intentionally or not.
Of course, in most cases, employees are not seeking to engage in unethical or criminal activity. Nevertheless, uncontrolled access to dealership data even by authorized employees can create risks. For example, allowing downloads of large volumes of customer data can create exposure if the file is not properly protected, or a laptop or other device is lost or breached.
Stories like these also show that compliance is only part of the story. Dealers invest significant resources into developing proprietary information like customer databases. That data can be protected under law as the intellectual property of the dealership, but only if you can demonstrate that you have taken appropriate steps to protect that data as your property. It’s important to monitor third parties with authorized access. Dealers should not only know but be able to control what third parties are accessing from dealer systems.
Moreover, dealers often place restrictions on the use of and rights to dealership data by employees (disgruntled or not), particularly former employees. With broad prohibitions now in place on noncompete and similar agreements under federal law, it is becoming increasingly difficult to enforce such restrictions by contract. Controlling and limiting unauthorized access to that data in the first place can help dealers avoid such concerns when an employee leaves the dealership.
How Does a DLP Tool Help Dealers?
One key to addressing this issue is the use of effective DLP or “Data Loss Prevention” tools designed specifically for the dealer environment. As part of the ComplyAuto privacy solution, ComplyAuto provides dealers with a comprehensive DLP tool designed specifically for dealers. The ComplyAuto DLP tool automatically monitors dealer systems to detect and prevent the loss, leakage, or misuse of data by unauthorized and authorized users.
In other words, it monitors activity on dealer systems and detects (among other things) when an authorized user obtains or seeks to improperly obtain customer data. Dealers can customize the DLP tool and can take steps like disabling ports or the use of external / thumb drives. In short, a DLP tool is important in helping dealers comply with this difficult technical requirement of the Safeguards rule – one often overlooked by other compliance vendors.
With the new Safeguards Reporting requirements now in effect, the enforcement risks are rising, and it is particularly critical to understand and address this issue today.