THE DANGER WITHIN: ALMOST 35% OF DATA BREACHES RESULT FROM INTERNAL EMPLOYEES AND HOW YOU CAN REDUCE YOUR RISK

A total of 3,676 breaches involving over 3.6 billion records were reported in the first nine months of this year alone, according to Risk Based Security, which analyzes data pertaining to breaches gathered from public sources, through automated and proprietary processes, and other means.
 
As has been the case for several years, a recent study by Risk Based Security found insiders posed the biggest threat to data. Fraud — a term that Risk Based Security uses to describe any sort of malicious insider activity or no-technical methods of illegally accessing data — accounted for nearly 36% of the records compromised.
 
The reasons for such internal misbehavior vary from the obvious profit motive to a desire to cause harm to the dealership and its customers.  Many criminal elements approach auto dealer employees with a proposal to pilfer consumer non-public personal information (“NPI”) in exchange for cash payments or other benefits.  To some employees, the risk is worth taking
 
What’s a Dealer to Do?
To address the problem of insider misbehavior, there are a number of steps you can and should  be taking.
 
It begins with the hiring process.  Unless prohibited by law, a criminal background check should be undertaken for any candidate who if employed will have access to NPI.  An investigative consumer credit report is another good step to take although you will have to notify the employee that you are doing so and, if asked, give the general information learned in such a report.  But you don’t want questionable and potentially unreliable people in your dealership especially if they will have access to your most valuable resource of NPI.
 
Another thing you need to do is limit access permissions.  How many employees in your stores can access NPI even though it may be unrelated to their positions?  I bet it is a lot.   Limit employee access to only that NPI they need to do their jobs and no more.  This alone will reduce your risk.
 
The next step is that you must educate them and monitor their activity.  Most electronic record-keeping systems and DMS systems have the ability to create access logs on who did what and when on the system.  Maintain and review access logs of how often individual employees access NPI and watch carefully for spikes in activity.  Do this with paper records as well.  Appoint a gatekeeper or librarian who records the persons who access paper files with NPI and watch for spikes in that activity as well.  An increase in file access may indicate the employee has been compromised by a hacker but may also indicate the employee has decided to go over to the dark side.
 
Your Employee Handbook should be clear that accessing NPI without a legitimate business purpose is cause for immediate termination in the sole discretion of management.
 
Another step you can take is to prohibit the downloading of NPI onto any external storage device like a USB, an external hard drive, or other electronic media.  Access to NPI should be “read only” with no ability to download or transmit any of the information to any person not authorized by senior management.
 
Protect your NPI by putting it on a separate server not connected to the Internet.  Use two factor authentication (a password and a code sent to the real user’s device are examples)  to enable access and access only to the extent of the employee’s permissions.  In one New Jersey case, a salesperson from a large dealer had resigned to go to a smaller competitor.  Before doing so, the employee copied the large dealer’s DMS system onto a USB drive.  No doubt similar activity goes on elsewhere.  Pay careful attention to an employee’s access logs for about a month before and at all times after they give notice and prior to leaving the building.  Watch their incidence of copying physical papers as well.  This may be when you are most at risk.
 
Finally, make clear in employee training that anyone who suspects a colleague of taking NPI for non-company purposes is obligated to report that suspicion to the Chief Compliance Officer, anonymously if necessary.  And let the employees know that not only will immediate termination follow but that the dealership is prepared to swear out a criminal complaint for  any such behavior.
 
A little prevention like the type described in this blog can prevent your dealership from being the next victim of a safeguards breach.  And that is a good thing too.  A 2016 Verizon study found that among small to mid-size businesses that experienced a data security breach, three out of five went out of business within six months.  Exercise diligence and hopefully you can mitigate at least this 36% of your safeguards risk.