A particularly critical, yet often overlooked, requirement of the revised FTC Safeguards Rule that went into effect earlier this year requires dealers to “…implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users” (emphasis added). Through our extensive research on the FTC Safeguards Rule, review of published manuals and articles, and scrutinizing other solutions available in the market, we have found that this requirement is routinely completely overlooked.
Upon reading this portion of the regulation, many concerned dealers are often left wondering, “How can I possibly accomplish this type of monitoring?” This is because the modern dealership is usually bustling with activity and managing vast amounts of customer data daily. To require them to monitor every email, document access, and employee login manually is not only impractical but dang near impossible. Relying solely on someone to oversee this process is fraught with risks and potential human error, leading to oversights and potential breaches. This is where Data Leak/Loss Prevention (DLP) tools come into play.
How DLP Satisfies the Regulation
DLP tools are designed to systematically automate the surveillance of data access and sharing. By using technology to monitor thousands of electronic communications and device activities at your dealership in any given day, DLP tools can do the following:
- Detect Mass Downloading of Data: Through monitoring file access and transfer activities, DLPs can flag when large blocks of data are being downloaded, such as a salesperson attempting to take a customer list to a competitor.
- Monitor Mass Deletion: DLPs track file and database activities and alert administrators if significant amounts of data are deleted either maliciously or by accident. This deleted information can then be restored remotely.
- Identify Suspicious Password Exposure: DLPs scan emails and other communications for commonly used patterns that resemble passwords and raise flags if employees are carelessly sharing or exposing credentials. For example, a dealer employee might carelessly share a password for a sensitive credit system like RouteOne or DealerTrack with a colleague who isn’t authorized. DLPs tools will alert the team of such breaches.
- Spot Unencrypted NPI Transmission: By examining email contents and attachments, DLPs can identify if sensitive nonpublic personal information (NPI) is being sent outside secure channels and alert the necessary parties. For example, an employee might send a customer’s Social Security Number (SSN) or credit report outside the dealership by using regular, unencrypted email, which DLP will detect and can prevent.
- Alert on Foreign Logins: DLPs track login locations. If an account logs in from an unexpected foreign country, an alert can be generated so that dealership personnel can follow up accordingly.
- Monitor Access Permissions Violations: By overseeing which accounts access what data, DLPs can detect when an authorized user accesses data they should not have access to.
To further illustrate a common dealer scenario, consider John, a salesperson at your dealership who is moving to a rival store. On his last day, he wants to take his clients to his new dealership, so he downloads his customer database from the CRM or DMS and sends it to his personal email account. Without a DLP tool, it is likely this action goes unnoticed until it is too late to prevent. But with an efficient DLP tool, such unauthorized downloads are instantly detected and appropriate action can be taken.
A Comprehensive Solution
Navigating the “unauthorized activity monitoring” mandate of the FTC Safeguards Rule can be daunting. Fortunately, ComplyAuto’s Advanced Device & Email Security package is tailored for this very challenge. Beyond its integrated endpoint detection & response (EDR) and multi-factor authentication, the third core feature of this product is its DLP tool. Operating 24/7 in real-time, this solution is finely tuned to the unique needs of the dealership environment.
With the FTC Safeguards Rule as a guiding light, it is imperative for dealerships to equip themselves with the right tools to stay ahead in this era of digital data threats.