Issue link: https://read.dmtmag.com/i/358154
20 | www.cedmag.com | Construction Equipment Distribution | August 2014 A finance officer at a financial institution was let go due to poor performance. Before the employee had been terminated, the worker used the company's computers to access customer account information such as names, social security numbers, driver's license numbers, and home addresses. The employee used this information to open accounts and incurred unauthorized charges under the names of the individuals from whom he stole the personal information. The defendant made numerous purchases totaling over $50,000. (Source: U.S. Department of Justice, March 2013). Could this happen at your dealership? Unfortunately, the answer is yes. That is why it is important to safeguard customer data. Not only does it make good business practice, but it's the law. The Federal Trade Commission (FTC) requires businesses, financial institutions and creditors (including dealerships and businesses involved in financing or arranging purchase or lease financing) to develop and implement a written program to identify and detect the relevant warning signs – or "red flags" – possibly indicating identity theft. The program must also prevent and mitigate instances of identity theft and has to be managed by the board of directors or senior employees of the business entity. It must include appropriate staff training and supervision, oversight of the use of any credit service providers at the dealership, and must describe appropriate responses that would prevent and mitigate the crime, as well as detail a plan to update the program as needed. General Requirements A written information security plan should designate one or more senior management staff to coordinate and oversee your customer identity information security plan. They would have the responsibility to identify and assess the risks to customer information in each relevant area of the dealer's operation and evaluate the effectiveness of the current safeguards by regularly monitoring and testing the program. They would also: Select outside service providers who are qualified to maintain appropriate safeguards. Your contracts should require service providers to maintain stipulated safeguards and oversee their handling of customer information. Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations and the results of security testing, monitoring or actual identity theft incidents. Employee Management and Training Develop policies for employees who transmit data. Consider whether and how employees should be allowed to keep or access customer data at home. Also require that employees who use personal computers to store or access customer data use approved security against viruses, spyware and other unauthorized intrusions. Coordinate this security with your information technology area. Additional risk controls include: Check references and do background checks before hiring employees who will have access to customer information. Require that every new employee sign an agreement to follow your company's confidentiality and security standards for handling customer information. Threats from employees and hackers alike are your responsibility, and must be controlled. BY ERIC STILES Is Your Customer Data Vulnerable to Identity Theft?