Dealerships are Lucrative Targets for Data Thieves

Oct 14, 2013 | | 14747 |

Dealerships are Lucrative Targets for Data Thieves

By Ed Becker
Note: This article is for general information purposes only. Neither the author nor the publisher intends to provide any legal advice. Please contact your legal counsel if you have any legal questions or concerns.

When it comes to information security, dealerships have many areas of high risk. It is essential that you do as much as you can to protect your customer’s data. In this article, I will answer these important questions:

  • Why do data thieves target dealerships?
  • Why does your dealership need to have an active security plan?
  • What does it mean to have an active security plan?
  • What are the costs of a breach for small to medium businesses?

The data in your Dealer Management System and other systems, like your Customer Relationship Management application, can be worth a great deal of money to hackers and identity thieves. Since many big businesses have implemented strong defenses, making it hard for thieves to compromise their systems, criminals are turning to small to medium-sized businesses as their primary targets. This means that dealerships are more vulnerable than larger businesses, which can devote more resources to staying one step ahead of the bad guys. Many dealerships work off old or outdated data security plans—so if you are one of them, you are setting yourself up to be a target for a data security breach.

According to a 2012 Verizon report [PDF], 98% of security attacks came from outsiders, organized crime and activist groups. These people are often professionals who can easily infiltrate systems without adequate security measures in place. A security plan implemented five years ago that is collecting dust on your shelf makes you vulnerable to the new, high-tech ways to steal data that are devised each year.

Verizon also found that 79% of companies that incurred data loss were targets of opportunity. These businesses simply had areas of known weaknesses that were exploited by chance. The older your plan and related controls, the easier it is for you to be a target of an external attack.

Physically having a plan is only the first step in securing your data. It needs to be maintained and updated as your business grows and changes. Your staff must be aware of the plan, so that they understand the reasoning behind why they need to follow it. With that in mind, it makes sense to put a single person in charge of managing the plan and seeing that it is kept up-to-date. This will help ensure that you are aware of new threats to your data but also informed of new laws that need to be followed.

Dealerships are one of the most regulated businesses in the country. According to NADA, you are subjected to nearly 100 federal regulations as well as additional state laws, depending where you resides. Also, NADA recently sent a 14-page memo to their members about regulatory guidelines that should be considered when building a plan.

Here is one government regulation example.

Since dealerships are considered to be financial institutions, the FTC holds you accountable under the Gramm-Leach-Bliley Act for customer information. While some private lawsuits have been unsuccessful in penalizing dealerships, the FTC has shown a strong willingness to assess hefty fines, file complaints against businesses, as well as compel dealerships to implement comprehensive security programs—some with third-party auditing for up to 20 years.1

The financial institution tag also puts dealerships square in the middle of the map for data thieves. Therefore, frequent checks to find your weak links and vulnerabilities are very important. These could be outdated backdoors into your system, unauthorized third-party vendor access and data usage, or insider threats from staff or consultants with more data access than necessary to do their job. Any of these ways can open your dealership to a breach that leads to significant data loss and financial responsibility.

And when it comes to dealership data security, size does matter … but maybe not the way you think. According to the 2012 Cost of Cyber Crime Study [PDF]:

Cyber crime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, we determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,324 versus $305).”

So, for a dealership with 100 employees, the annualized cost of a cyber crime event could be as much as $1.3 million. Can you absorb that cost after a breach occurs?

The Verizon report [PDF] also found that, worldwide, businesses incurred 855 incidents of data theft, resulting in 174 million compromised records in 2011. This was a huge jump from just 4 million compromised records the previous year. Data security is a concern for every business, but dealerships have big targets on their backs. Having a plan, implementing it consistently, and keeping it up-to-date is extremely important.

Your data is at risk … isn’t it worth protecting?

1Joel B. Hanson, Liability for Consumer Information Security Breaches: Deconstructing FTC Complaints and Settlements, 4 Shidler J. L. Com. & Tech. 11 (5/23/2008), at <>

Ed Becker