Be Prepared With This Data Breach Response Plan

As a business owner/dealer, you have an obligation to protect customers’ personal information. This is called personally identifiable information (PII) and includes names, addresses, Social Security numbers and dates of birth.

If your dealership does not currently have cyberinsurance, please consider it now. Dealers are constantly getting phishing emails. From a risk perspective, statistics show that it’s not if you are going to get an attack — it’s when. Many dealers receive threats on a daily basis.

Consider having a written corporate data breach response plan so all employees know what to do in case of a detected or known breach. Employees should be trained on cybersecurity regularly, which should include discussions on password protection, phishing and other issues related to keeping this vital information away from the bad guys.

Here is a sample written plan to use as a basis or template for your company:

• If you suspect a breach, contact __________ (owner or general manager) immediately at _______ (insert cell number)
• ___________ will contact the cyberinsurance carrier immediately
• Move quickly to secure the systems and fix vulnerabilities that may have caused the breach
• Stop additional losses by taking all affected equipment offline immediately
• Do not turn any machines off until insurance company forensic experts arrive
• If possible, put clean machines online in place of affected ones
• Update credentials and passwords of all authorized users (if a hacker stole credentials, the system will remain vulnerable until the company changes credentials, even if the hacker’s tools have been removed)
• Remove improperly posted information from the web, including websites
• If the data breach involved personal information improperly posted on the web, the company will immediately remove it
• Be aware that search engines store or “cache” information for a period of time
• Contact the search engines to ensure they don’t archive personal information posted in error
• Search for the company’s exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it
• Ensure staff knows to forward any information that may aid the investigation to ______________ (owner or GM)
• Document the investigation
• Do not destroy any forensic evidence during the investigation and remediation
• The company will create a comprehensive communication plan that reaches all affected audience
• No one should be authorized to discuss any of this with the public, including:
  • • Making misleading statements about the breach
    • Withholding key details that might help consumers protect themselves and their information
    • Publicly sharing information that might put consumers at further risk
• If this happens, the company should anticipate questions people may ask
• The company will notify appropriate law enforcement
• If names and Social Security numbers have been stolen, the company will contact the major credit bureaus
• If the compromise involves a large group of people, the company will advise the credit bureaus. If the company recommends people request fraud alerts and credit freezes for their files, here is the contact information for the three major bureaus:
  • • Equifax: equifax.com or 800-525-6285
    • Experian: experian.com or 888-397-3742
    • TransUnion: transunion.com or 800-680-7289
• People whose Social Security numbers have been stolen should contact the credit bureaus themselves to request fraud alerts and credit freezes
• In addition, people whose Social Security numbers have been stolen should contact the IRS Identity Protection Specialized Unit at 800-908-4490
• In concert with the cyberinsurance carrier, the company will notify individuals quickly that personal information has been compromised so they can take steps to reduce the chance their information will be misused. In deciding who to notify, and how, the company will consider:
  • • The nature of the compromise
    • The type of information taken
    • The likelihood of misuse
  • The potential damage if the information is misused
• When notifying individuals, the Federal Trade Commission (FTC) recommends:
  • • The company consult with law enforcement about the timing of the notification so it does not impede with their investigation
    • ____________ (owner or GM) will be the point of contact for releasing information. No one else is authorized to do so
    • If the company does not have contact information for the affected individuals, it will consider how to contact them
    • Note what happened, how it happened, what information was taken, how the thieves used the information, what actions have been taken to remedy the situation and what actions are being taken to protect individuals, such as offering free credit monitoring services
• Also, refer to identitytheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed
• Ensure the affected customers know how the company will contact them in the future. For example, if the company will only contact them by mail, it will communicate that
• The company will consider telling customers that updates will be posted on a specific part of the website, which will give customers a place they can go at any time to see the latest information. This will save time by reducing phone calls

I understand the company’s Data Breach Response Plan and will adhere to it. If I have any questions, I will contact ________________.

__________________                                    ___________________
Printed Name                                                  Signature

Date of training: ___________

Consider implementing a protocol to safeguard your dealership against any issues proactively. I also recommend that you review this resource from the Federal Trade Commission (FTC): ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf.