false
Catalog
Navigating the New FTC Safeguards Rule: Data Manag ...
Webinar Recording
Webinar Recording
Back to course
[Please upgrade your browser to play this video content]
Video Transcription
Hello, and welcome to today's webinar. Our speaker today is Kevin Landers from Rocketwise. Before I turn it over to Kevin, I'd like to let those of you who are with us live to know that you may submit questions during the webinar via the Q&A tab at the bottom of the screen. This webinar will also be recorded so that you may watch or re-watch on demand at your convenience. With that, I'll turn it over to Kevin. All right, well, thank you, Karina. I appreciate the opportunity to be here and speak with you all today, and I'm looking forward to hopefully getting some of your questions answered and providing you with some direction on the FTC safeguards rule, excuse me, and some of the revisions that have come down the pipe through the FTC. Just as we kind of get started, one of the things I find that would be super helpful is kind of know, with the folks in the room, kind of what is your, what role are you in? Perhaps your department, your title. I don't want to make an assumption as to who's with us, but I do want to make sure that I make an effort not to go too deep in the woods on the technical side of things. So, if you just open up chat and just kind of type in your title and or the department you're part of. All right, okay, so we've got some sales and marketing here, right, I guess the rest of us are either having problems finding the chat button or maybe a little bit bashful and that is okay. So, all right, IT director, okay, so some of my people are here too then, so glad to know I won't be on my own here, okay, well, I guess put in the Q&A section because some folks are reporting that the chat's disabled, so sorry about that, all right, well, we'll get going, so with the FTC safeguards rule, you know, basically we're just going to talk today about those rules, the new requirements from the FTC that you're going to see impacting you and your dealership and kind of talk through how you can, well, yes, these are some things that you're going to have to abide by, potentially looking at them as an opportunity for your dealership when it comes to basically getting things set up right in terms of security. So, for my IT director friend on the call, you know, we don't always get unlimited budgets to work with to get the right types of security tools and systems to help us do our jobs nor do we always get the approvals to put some policies and procedures in place to help the dealership and to help us out in our roles, likewise, if you find yourself in sales or finance and insurance side of the house, you know, there are a lot of tools out there that you may find attractive that look like they would help you with some efficiency in your organization that maybe you just haven't had the budget or interest from further up in implementing. And so, some of those same tools, while they drive efficiencies for our dealerships, they also help us to take some of these requirements and actually put our dealership in a place where we meet them a little more readily and help us to be a bit more secure with consumer information, which is really what is at the heart of this entire deal, right? So, that all being said, look at it as an opportunity, not just, especially on the tech side, it's not just yet one more thing that we have to deal with. It technically, it is, I get it. And believe me, we, on our end, we're having to work with our dealer clients to help make sure these things get implemented for them. So, it's added even things to our list that we have to do above and beyond, but at the same time, it is an opportunity. That said, you know, I'm not going to assume that everyone knows, you know, what the FTC even is, much less what they do or where this, you know, safeguard came from. So, we'll kind of start with the basics and work our way from there. You know, the first thing is, you know, really is who is the FTC? So, you know, that's the Federal Trade Commission. And this is a group that was put in place because, well, we had this issue where businesses were taking advantage of consumers. And, you know, basically, the FTC was put in place to help protect the consumers by preventing some anti-competitive business practices, some unfair business practices, putting things in place where by discouraging companies from using deception or deceptive practices to, you know, in dealing with us as individuals. So, basically, these are the advocates for all of us. So, while yes, in the dealership or whatever position we see ourselves in an organization, while, yeah, we're on the opposite side of it, individually, outside in our daily life, the FTC is, you know, there to basically be our advocate to make sure that when we go to buy something that, you know, we know what's going on and we can have a good faith that, you know, we're not being taken advantage of. So, anyway, they're stepping in to help protect consumers, especially regards privacy. And that's what this is all about. So, a little bit of history around where all this stuff emanated from, you know, if we go back to the past, we have the Great Depression in 1929. Stock market crashes kind of kicks off the Great Depression. And, you know, things start kind of falling apart during that period of time. And in 1933, Congress came together and they passed what's called the Glass-DeGaulle Act. And that was to go through an update of financial regulations. Now, this, again, was in response to the Great Depression and how the market suffered and played its part. And so, when they looked at that, there just really weren't a lot of controls in place to prevent that from happening. Now, I don't claim to be a history major, especially around the financial world. I am a bit of a, you know, military history fan and love that side of things. But this is outside of my history periphery. So, I may get a little bit of the details wrong or not exactly right. So, rather than dive into 1933 through 1999, let's just say that for the most part, there were not a lot of major regulations or changes to the regulations around the finance industry during that period. Now, that being said, if you think about it, that same time period, on the other side of the aisle in technology, we split the atom. We also sent people to the moon and brought them back. And we did it not once, but quite a few times. We also invented the personal computer and somebody or Al Gore created the internet. Maybe we're not certainly sure. But anyway, we had a lot of advances in technology. So, there's been a lot of changes on the other side of the fence in the realm of technology. And, you know, so there, as a result, there've been changes on how things were being used and how personal information was being disseminated. So, we go to November 1999. And finally, Congress decides, you know what, we should do something about it. And so, they went through and they put together some security requirements for different types of financial institutions. And so, Congress passed the Graham-Leach-Bliley Act. It was basically what it was meant to do was to modernize the financial industry, bring it up to speed, right? And in doing so, they decided to put the FTC in place to be, not in place, but make them responsible for implementing it. And they basically released the rule in 2002. And it went into effect the next year, 2003. So, what this did is it applied some new controls on financial institutions. It went through and it required them to have these new controls in place. And you can kind of divide them up into two categories. There were both the security protections and the disclosure requirements that businesses had. And these protections, they're based on the technology at the time. So again, we're talking like 1999, 2002, I'm not even quite sure the iPhone was even being developed at that point. So, this is a while back in terms of technology. And unfortunately, it just didn't really solve the problem, especially in 1999 and moving forward. Some of the problems were that, first of all, it was just, it was unclear. It also, it didn't have any teeth, meaning there wasn't a lot of bite to it in terms of what they could really get, could do if someone was found not in compliance. And as a result, we had some big events like 2008, we had Heartland Payment Systems, they leaked 135 million credit cards. Experian in 2013, they had 200 million records that were leaked. And then in 2019, First American Financial Court, they leaked 885 million records. So, obviously, something wasn't working, right. So, what's happening here is we have a major change to the technology landscape happening between the early 2000s and today. And so, in December 2021, the FTC decided, hey, we're going to go through, we're going to revise these safeguards rules. And as a result, the biggest change was really how they expanded definition of financial institution. Okay. So, the scope in 2002 was pretty much limited to this, which wasn't too terribly detailed. And it might have, as I said earlier, it was a bit unclear, right. 2021, they came along, made it a bit more clear. And if you take a close look at the list, you'll notice that, excuse me, there are a lot more organizations that are being specifically called out. And so, a couple examples of the organizations called out in that new scope, you know, the first is mortgage lenders. The next one after that are payday lenders. Now, these are the folks that give you like an advancement on upcoming paycheck or whatnot. We also have finance companies, mortgage brokers themselves, account servicers, check cashers. And I'm not talking about the payday lenders here. These are the folks that if you actually take them a check, they'll cash it for you. People who do wire transfers, some travel agencies, real estate appraisers, credit counselors, automotive dealerships, tax preparation terms, firms rather, and non-federal insured credit unions, and some investment advisors. So, a good bit better list or more defined list of who the FTC is focusing on with the safeguards rule. So, the safeguards rule, you know, now that we know who, you know, what is it, you know, how is it changing? Well, the new safeguard rules were specifically created to protect the security, the confidentiality, and the integrity of customer information. And if you take a close look at this, what you'll find is they define customer information as any record containing non-public personal info about a customer of a financial institution, whether in paper, electronic, or other format that is held and maintained on behalf of you or your affiliates. So, basically, this means computer data as well as all the paper stuff that's sitting around on people's desks throughout your organization. And this new safeguard, it establishes parameters for really for good customer data hygiene, which means just, you know, good practices, good processes for really just managing it and taking care of it, being good stewards of it. In addition to that, though, the other thing that happened is that they, with their safeguards rule, created some punitive consequences for failing to adhere to to their parameters. And we'll go into that in a little bit. Now, the companies that meet these new guidelines, they're required to do a couple of things. At a high-level view, the first thing they're required to do is to develop, implement, and maintain a comprehensive information security program. Now, that means they have a written, readily accessible program that has well-defined controls based on the organization's size and complexity. It also explains the nature and scope of what the company's activities are, and it also documents how they manage the sensitivity levels of that customer information. And then secondly, or the other half of it, is that, you know, the program objectives are pretty straightforward. The first one's making sure that the customer information is actually secure and confidential. The next is protecting that information against anticipated threats to the security of that system. And then the next objective is to protect that information against unauthorized access that's going to end up, via that access, causing some kind of substantial harm or inconvenience to the consumers, that customer. So basically, if you're putting together one of these programs, there are ultimately nine things you have to implement. Now, I'm going to pause here and say, listen, these nine things, they're technical in nature. So folks in IT are going to probably, it's going to be some familiar items. Folks that are used to doing risk management or mitigation, perhaps outside of the IT realm, maybe someone in a controller or CFO role, these things are probably going to be similar. If you don't fall into those categories, if these are not a world that you live in day to day, relax. You don't have to, don't have to take a flurry of notes. As I go through things, there are going to be a lot of bullets. We're not going to spend a lot of time on them, but I say all that to say, don't let it overwhelm you. At the end of the presentation, Karina will actually be sending out a document, a cheat sheet of sorts that we have on these elements. And so what I really want you to kind of get is kind of the overall feel of where this thing is going, where this new safeguards rule is going. Don't get so worried about the details that you're about to see. Okay. So, well, I'll take a deep breath and we'll look at these nine elements. So the first element that you're going to have to do is basically is to designate a qualified individual to be responsible for the program. Next, you're going to have to document a risk assessment, and then you're going to have to apply controls. And just so as we start talking about controls, controls are basically this, if you have a risk, like, you know, there's a risk that if the door is unlocked, people will come in after hours and steal stuff. Okay. That's a risk. The control, a control would be a lock on the door. So we'll put a lock on the door, we'll lock it at five o'clock when we leave, and less likely that people will walk in and steal stuff while we're not here. So control is just measures to mitigate or accept a risk. So I just want to put that out there. The fourth is going to be validating those controls, developing a training and auditing program, monitoring your service providers or vendors that you work with, developing a continuance improvement cadence, documenting an incident response plan, and then finally providing an annual report to your senior leadership. So those are the nine elements that the FTC Safeguard role is putting in place. So again, to those in the, you know, CFO, controller, CIO, IT director, things probably going to feel familiar. Basically, what they're doing is they're mandating things that are part of standard compliance frameworks, like maybe NIST or CIS or other things. If you're, if you have a history in implementing some of those types of things, you'll see a lot of similarity here. Again, going back to just good customer data security hygiene. So let's talk about those nine things. We'll go again, we're going to talk about some bulleted parts of these nine elements, but we won't, we'll try very hard not to get lost in the weeds here. So the first item on that list was security program owner. So the first thing to know is it does not have to be a part, the person does not have to be a part of your organization. This is one thing good to note, and this is about the only place you'll hear me talk about ourselves. This represents for chief security officer, you're usually, if you're getting a person who's really knows what they're worth, you're probably looking at $200,000 plus salary for that individual. Usually in the medium, small, medium business world, that's around, it's going to be in the high $200,000s, but that's about where this role should be if they're properly pricing themselves. And usually this is usually a stepping stone for them to get into the enterprise. So usually at this point, they're building the resume, looking to go into the enterprise. That said, the key point here is don't fret over that. It can be outsourced. You can work with other companies. Again, the only place I'll talk about us is we actually, we are a company that does, you know, virtual chief security officer roles. So you don't have to fork out quarter of a million dollars to put this in place. That's what I really want to get across to you, regardless of how you go about it. Now that person, they're going to be responsible for compliance. Now, when I say they're responsible for compliance, it doesn't mean that they're managing and dictating compliance, that they're the ones determining how everything is getting implemented and what we will do. That's a team effort at the company level, because as we talk about this, you'll find that this is going to be about more than just your IT department. That's just a portion of what this really covers, because this is going to go into all different types of aspects of your organization. And so others are going to be responsible for implementing those pieces. Ultimately, this person is responsible for managing the compliance program and helping make sure that all the checks and balances and items are happening and doing, you know, staying on top of it. So that's your security program owner. Second item on that list was performing and documenting a risk assessment. So when you're going through, this is just like anything else, when it comes to security, if you don't document it, it doesn't, didn't happen. So if you don't have it documented, it never happened. So the first thing you're going to do with this is you're going to determine what your risk criteria are. Then you're going to assess your existing controls that handle those risks. And then you're going to determine how those risks will be mitigated and accepted. And the key thing here is this is not a one and done event. This is something you're going to do periodically, potentially multiple times throughout a year, going through and doing risk assessments because again, why are we here? We're here because these things were put in place in 2002 to deal with technology from 1999. And now we're 20 years later, technology has way outpaced these rules and regulations. So again, just even for that same reason, that's why we want to continually do risk assessments because we want to make sure that we're staying up with all the new ways that our company is coming, being opened up to risk. All right. Next, we're going to, again, element of applying those controls. So you're going to go through and you're going to apply the controls. What you're looking for is you're looking for authorized access controls. So we're making sure that the people who are actually authorized to access data can access that data and no one beyond that, right? Then you're going to go through and you're going to look at encryption of that information and implement things like multi-factor authentication, process for handling data disposal. So when you're done with the data and it's past a period of time that you need to hold onto it, how do you dispose of it properly? You're going to go through and build out change management programs. And then finally, you're going to have some sort of logging and monitoring of these controls. Now, again, I kind of alluded to earlier, there are different types of controls. Really, there are three different types, okay? There's your physical control, like locks on the door that I mentioned earlier. Then we have technical controls like antivirus or encryption on a workstation or a device. And then finally, we have administrative controls, which are like processes and procedures. So as you're putting those things together, just keep in mind that as you're looking at a risk, there are going to be different types of controls that you may need to create to handle those items. So, and then once you've created them and applied them, you're going to validate them. And that's basically testing and monitoring whether or not they're being effective. You can do that a couple of ways. One way is to do it through performing continuous monitoring on those controls where you're able. And then you're also looking at using penetration tests and vulnerability scans. Ultimately, you want to inspect what you expect here and you want to test that those controls work. Now, the next thing that you're going to do is have in place is training and auditing. Basically, you're going to go through and have things like security awareness for your entire team. And in doing the security awareness training, you should be able to provide evidence that they actually watched and participated and actually had comprehension of the training they're going through. The next thing you'll do is, maintain sufficient staffing for your program. So make sure you have the right folks on the team and have them in the right positions in that program, managing that program itself. And then you're also going to ensure that continuing education is something that's happening all the time around your security, that you're continuously doing it. Not again, not a one and done thing. None of these things are. In fact, I like to tell people security is a mirage. You're never going to arrive. It's like being out in the desert and you see an oasis and it's a mirage. You're never going to get there. You're never going to get to a point where your environment is 100% secure. You just, it's a continual journey. So be aware of that. Next thing we'll do, we'll monitor our service providers, our vendors, and that's going to be ensuring that we actually engage with capable service providers. That means making sure that they have proper safeguards, security in place to meet safeguards, and making sure that that's included in our contracts, that it's not just something they say in marketing, but it's actually something that they are willing to put their name on and that they're willing to prove to us in ways that they have implemented, whether that be through documentation, assessments, et cetera. But you want to make sure they're doing the same things to make sure that they're not opening you up to being out of sorts with the FTC safeguards rule. And then we're also talking about performing periodic reviews with the service providers. So at least annually, you're meeting with these folks and getting a confirmation that they're still meeting those criteria to be secure. All right, we're also going to develop a continuous improvement cadence. So this basically means that we're going to be reviewing our risk assessments and adjusting our controls accordingly, that we're always going to be reevaluating the security program alongside our business changes. And these changes, these could be as simple as a change in our process that we've identified that the process just isn't efficient and we've tweaked it, we modified it, and now we need to also look at it in light of our security plan to make sure there's not a change there that needs to happen. It also could be a change in vendors you're working with, you're bringing a new one on, you're switching an old one out for another one. It could be technology that you're bringing into the company now. It could be even mergers and acquisition. So if you're doing M&A, you have that type of activity going on in your dealership, when you bring in that other organization, when you merge them, there are things there that you're going to learn through iteration. If it's a one-time event, you'll probably identify some things right then, but especially if it's something that is a long-term plan of yours that you're going to continue to do, it's going to present you with an opportunity each time to identify places where you need to update the things that you're doing and improve your situation alongside those business changes. All right, we're almost down the homestretch here. We're going to document an incident response plan, and this is going to include the goals, the internal processes, your well-defined internal roles for the individuals that are part of the incident response team. It's also going to document the communication channels that you're going to use with not only the security team or incident response team, but also with your organization and with outside parties, whether you're going to use chat or you're going to use email or you're going to use phone. Depending on the incident you're dealing with, you may not be able to use some of those methods. So that is going to be defined in your incident response plan. You're also going to talk about remediation requirements, what your reporting criteria and processes are so that you have a cadence of communication during the actual event, and how you're going to report events to upper management, for example. And you're going to go through and you're going to revise this incident response plan every single time there's an incident, because while you can practice these things, when you actually have an incident and you go through it, that's when you begin to realize where there are weak spots in the way that you're trying to accomplish things. And so that is going to be critical to debriefing after the incident and identifying, hey, where did we just fall flat on our face? Or where were we just not prepared for? Where were the holes and how do we improve? So you're going to do that after every single incident. And then finally, the last element of those nine is provide annual reporting to senior leadership. So these annual reports are going to include things like the security program status, where's the security program at? If you're just starting, where are you at on your milestones of getting it implemented? Any changes, et cetera. Findings from any of the risk assessments that you've had during that period. Controls that you've implemented. Security provider engagements that have taken place since the last report. Any of your testing results from penetration tests or vulnerability scans. And then updates on any security events that you've had since the previous meeting. So basically you got a lot of stuff going into this program. I mean, like I said earlier, it's a lot. And it's easy to look at this and have your eyes glaze over and just get stressed about it. So it is a lot. Now, one question is what happens if you just don't do it? There are consequences. So the FTC lined up some consequences and basically they've got some fines and they range from anywhere from 10,000 to $100,000 per violation, which means they've given the FTC big discretion on how much they're going to charge you if you have an event. And if there's an event and you have gross negligence, they also can result in up to five years of prison time for various members of the team that are involved. One example of that would be if you were intentionally abusing the customer information. So if it's protected info like a social security or driver's license, something like that, and you were doing something malicious, then that's what's going to end you up in jail. I won't say that's the only thing that will, but that would be one thing that probably is going to. And then all of this is going to be enforced by the Federal Trade Commission and also with the Consumer Financial Protection Bureau. So those two are going to be the ones that enforce it. Now, one question is going to be, okay, how are they going to enforce it? Well, the reality here is there's not going to be an FTC police, okay? This is most likely going to be reactive, not proactive. And what I mean by that, that means that when there's an event, the regulators are going to show up and they're going to show up with their microscope. And then that's when you're going to get a fine. And that's when the compliances are going to be enforced. If it's anything like HIPAA in the healthcare world, it's just going to be done after the breach happens. So what can you do? Well, you can make sure that you're doing all of these things that you should be doing so that when you do have a breach, you don't have to go through and pay these additional fines. And it'll also help you make it a much smoother process when you meet the FTC at the door, so to speak, with your documented plan, with your list of your risk assessments, the controls you put in place, the discussions you've had as an organization, the decisions you've made. When you can walk to the table and present that information and say, hey, we've been doing our best and this is all the documentation of our events that support it, that's going to go a heck of a long way in working to your favor. Now, timeline to adopt, when are we getting adopted? Well, it was supposed to have gone in place in December of last year, so it should have already been here and been gone. Apparently, the FTC has said, hey, there are organizations out there that are having difficulty hiring people. Go figure. So they, that among other reasons, they have postponed it, pushed it to June 9th of this year. So it gives you a bit more time to get this right, but not a whole lot of time. All right, now, coming out of this, one of the things that we wanted to talk about, so you get an idea of what this looks like played out in the real world, is a couple of examples of organizations that the FTC has dealt with regarding the safeguards rule. But as we go into that, I wanna just take a moment to help you understand some of the other players that you may encounter in situations like this. The first player that you're going to encounter is gonna be an insurance carrier, especially if you have cyber liability insurance, crime insurance, if you have those policies in place, they're gonna be the first person or should be the first person outside of your internal team that are brought into this picture because you're gonna wanna start talking with them and should have in dealing with your incident response plan, have an understanding of what role they play in an incident because they're gonna have teams that they wanna work with for forensics, for understanding what happened and how bad it really is, for plugging the holes and so forth. And then they're gonna have things that they're gonna wanna control some of the communication aspects. What do we go public with? What do we not go public with? When do we go public? Do we bring in the FBI? There are a lot of discussions, items that the insurance company is gonna play a critical role in understanding. Now, that being said, they're gonna be with you and they're gonna be a team member in this, but it's critical that you understand when you apply for your insurance that they're asking you questions about controls, policies, technologies that you have in place to keep things secure. A lot of the things that we just went through already in this presentation from the elements of the FTC safeguards rule. And it's in your best interest that if you don't understand those questions when you're answering them, that you reach out, you get some clarification, have some help in answering those questions because they're gonna be your team member as long as they understand that the things they asked you about and asked you if they were implemented, they were actually implemented. And even though they were implemented, you still had this event, that's fine. They're there to help you. But if they find out that they asked a question and maybe there was a misunderstanding about it, but that control, they asked if it was in place and you thought it was in place, but isn't in place and it's a part of the breach, then they're gonna do their best Mr. Wonderful impression from Shark Tank and say, for that reason, I'm out. And they're potentially just gonna leave you sitting at the table, holding the bag. So you wanna be super sure that you are understanding your application process with your insurance providers and understanding the things that they expect, that you have in place. And then also understanding the plan by which they expect you to play the sheet music, as it were, that they expect you to play the song to when there's an incident. So everybody's on the same page and they're there to help you. That said, the next obvious is the FTC, the Fed, we'll get that in a second, but one that's not necessarily so obvious, or maybe it is, there's a part of it that's not, is the state. And so your state is going to have data privacy laws. And we're gonna talk about that in a second because the third is obviously Federal Trade Commission or the federal government. They're gonna be interested. On the state level though, just taking a moment on the state level, let's say in a hypothetical dealership, we had two locations, or rather we have four locations in two states. In this scenario, this is Nevada and Arizona. It probably is obvious to everyone on the call that if there's a data breach and there are state privacy laws, that we're gonna fall under the laws for these two states, right? Because we operate there. Most people think because we operate there is the key, and it's not. The key is because that's where the residents are, our consumers are in those two states. And because they're residents of those states, that's why we fall among other things. That's the key thing of why we fall under the privacy law for those states. That said, what also goes overlooked sometimes is the fact that if you happen to have some clients that live across the state lines in Utah or maybe New Mexico or possibly California, then based on criteria, potentially things like how many of those residents are customers of yours. So their criteria that you have to meet does not automatically mean that you fall under their law. But if you hit the right criteria, it's very possible that you're also, in addition to dealing with the FTC and the federal government, you're possibly gonna be dealing with the states of where your customers reside. So not just where you operate, but potentially across state lines in those states that you just didn't realize you were gonna fall under. So that's just something to consider. Now, that said, going into the examples of where the Federal Trade Commission has actually had some incidents with other organizations, because they've been at this for 20 years. The first one I wanna talk about is an actual automotive dealership. It's in Georgia. So my neck of the woods, I'm over in Charleston, South Carolina, so they're pretty close. And as we start to talk about this story, what I want to share and emphasize that we emphasize with our customers all the time, with the dealers we talk with, is the number one threat to your business are your employees. So if you're an employee of a business, which we all are, I'm an owner of a business, I'm still an employee, we're all the number one threat to the business. Now, I don't mean that we are malicious, that we're out to get them and we're out to destroy the company. That's not what I mean at all. Even good employees make bad mistakes. It happens, right? We can accidentally delete files, we can click on phishing emails, we can install unapproved software, use free and unsecured file sharing applications. We bring our personal devices to work, our cell phones, our tablets, our smartwatches, sheesh, all kinds of things. And that's not even our personal laptops, right? You know, there's all kinds of devices that we may have on our person. And then we're most likely, most of those devices are probably unsecured. I mean, there's no antivirus on them, or maybe none that's being monitored and managed professionally. So all that being said, even good employees have bad days, right? Like we all have a life outside of work. It took me a while as a business owner to get to that point. But we all do have a life outside of work. Before we come to work, we wake up and our kids are unholy terrors. They're usually the cutest, lovable creatures in existence. And we are proud to have them in our lives. And then there are days where they're just, I don't know what they are. They're maybe the possessed, who knows? Or maybe we have an argument with a spouse, or maybe we bounce a check or whatever. But we bring more to work than just our physical being and our knowledge, right? We bring life with us. And so every employee has something going on in their lives. Even at work, we have things where we just don't get along with certain people, or we're upset with a customer or whatever, things happen. And so the key takeaway here is it happens, okay? In this scenario, for this dealership, let me back up a second. In this dealership, they had an employee, didn't mean it maliciously, but they installed unapproved software. So that's the first thing highlighted here. And secondly, it was a file sharing application. Now this was like Napster of the day or Kazaa or whatever, that type of file sharing app. The idea being that you install the software and maybe I'm a Beatles fan and I have the Beatles greatest hit collection in my music folder. And then I've got some videos stored and whatever. And I am thrilled to share that with the world. We'll put aside whether that's legal or not for the moment, not while we're here, but I'm happy to share that with anybody that wants it. And so I installed this app and I pointed music, pointed videos, and somebody in another country or another state, maybe across town searches for the Beatles. That album comes up. They download it off my computer. Great. Perfect. And maybe at the same time, I'm a Michael Jackson fan maybe. And so I want to download Michael Jackson's greatest hits because I don't have it. So I do a search. I find somebody in Canada that's got it downloaded off their computer. Great. So anyway, this app is designed to do that. I can search for things and download from people around the world. And likewise, people can search and download from me and others around the world. Person installs a software. Here's where it goes wrong. Rather than install it and point it just to their music folder and just to their movies folder, they installed it and let it just scan the computer. And so let's just say hypothetically it does this and I'm another person and I search for James Brown because I want James Brown's greatest hits. That's a pretty generic name, James and Brown. First name, last name, very generic. So what happens if now when I search that I get James Brown music videos, James Brown's greatest hits album, and James Brown's credit application to a dealership in Georgia? That's what happened. So ultimately, this person installed the software, it scanned the entire thing, and 95,000 customer records were exposed on the internet. And so all you had to do was search for whatever terms. So if you accidentally search for James Brown and one person happened to be James Brown, okay, you just got their info. Or if you're malicious and you're using this app because you know people make these mistakes and so you're looking for terms like credit application or info that matches a driver's license or social security number, there are ways the malicious actors can use it to do it on purpose. Look for that because they know that people are going to make that mistake. So that's what happened. 95,000 records were exposed. The FTC came in and in dealing with it, they found that these records had data bursts, addresses, social security numbers, driver's license numbers, the whole shebang. And so they started investigating. So in their case, they turned to the GLBA, sorry, I get that mixed up sometimes, the BNL, but the Graham-Leach-Bliley Act, and specifically to the safeguard rule, and determined that because this dealership was handling applications for lending that ta-da, they're a financial institution. And so the dealership was construed as a financial institution and now they fall under this act. And so in digging further into it, the FTC ruled and their action that they brought against them, these are just the first 10 pages of it, which is really, really tiny. But the key point here is all those yellow highlights are items that the FTC said that this dealership now has to have in place moving forward. And so to help you with that list, first thing was create a written incident, or not incident, information security program, create a chief information security officer role, start doing risk assessments, document retention and destruction policies, doing code reviews, doing penetration testing, making sure that any inputs where they're putting data in, validating those inputs were working correctly, network segmentation, intrusion prevention and detection systems, file integrity monitoring, data loss prevention, location upload, encryption of PII or personally identifiable info. So encrypting the data that had those social security numbers, those driver's license numbers, doing vulnerability testing, having a process for selecting their service providers, doing compliance reports, recording any kind of accounting record issues, employee training. All of this up to this point looks very much like what they are saying we have to have in place for the new revised rules, right? So a lot of this we already talked about. Some of this may be new terms, but majority of this same thing. Here's the difference. The kicker on this is they now have to yearly provide certification of all these things to the FTC. And that means all of this, they have to turn over all the documentation, improve to the FTC on a yearly basis, they're doing the right things. The further kicker is they have to do it for 20 years. So not just yearly, but yearly for 20 years. And so this is huge. So, okay, up to this point, this dealership could potentially upset quite a few people. We got the consumers, we've got the insurance company, we got the state or states, we got the federal government. That's a lot of bad mojo, right? Well, let's assume for the moment these folks did everything right that they could, okay? Like they meant no one harm. And I'm sure this dealership in reality did not mean anyone harm. I'm sure they just want to download music or something, right? But let's assume hypothetically, they did everything right from the beginning. They still had an accident. When the insurance company came to, they sat down with the insurance company and proved to the insurance company, hey, we had everything in place that we said we had place. It's still just, you know, security is not 100%. Kevin Lander said it on a video. I got a recording somewhere. It's a mirage. It's not 100%. But we tried. And insurance company says, fine, we're here to help you. And to the extent that the insurance company would allow them, they handled communication with their customers as great as they could. And I'll tell you, being in my industry, so talking about myself and my peers, IT companies, cybersecurity companies, our vendors, I will tell you this. What determines whether we stay with them or we leave them when they have a security incident is how transparent they are to us and how well they communicate to us. If we feel like they're hiding something, if they don't post anything, if they're not upfront about it, and we're having to learn about it from like anonymous sources, through other online media, 90% chance that that vendor is going to lose a lot of customers. But the ones that we love in our industry are the ones that we realize bad things are going to happen. But when the bad things happen, they communicate with us, they do a really good job of it. And they are as forthcoming as they can be realizing that there may be some things the insurance company says they cannot legally share yet, and or the FBI, because sometimes the FBI and state and local government get involved. And they just can't tell you stuff, there are things that you can't share, right, until a certain point in time. But the people who do that and communicate that well, are the people that are going to continue to have the customers afterwards. So I will say this for your marketing folks, and yourselves, folks, I think those folks really need to be a part of what you're doing in a compliance program, because those are the folks that nine times out of 10, they know how to communicate, communicate well. And if you help bring them in a little bit, help give them borders, you know, help them understand they can't tell the whole story necessarily, depending on what's going on. Those are the folks that can, during one of these incidents, really help save the ship. So whatever that's worth, didn't cost you anything other than your time here. That being said, you can do all that, right? Customers are happy. The states are like, hey, yeah, we're going to fine you, but you guys are fine. You did your best. FTC is like, hey, nobody's going to jail, there are going to be some fines involved. But again, you did your best. Everybody put their best foot forward. Even in that scenario, here's the downfall. The downfall is I don't do business with you. I hear your ad on the radio. I pass your billboard on the interstate. I drove by one of your locations on the highway on my way home, and I have a need for some of the shiny equipment sitting out in front of your building. I'm probably going to grab your name, and maybe not even remember it correctly, depending on what your name is, but I'm going to get pretty close. First thing I'm going to do when I get home and I have that need is I'm going here. I'm going to Google, and I'm going to type in your name, and I'm going to search for you. In the event of this dealership that we're talking about, that's their Google page. Now, again, this takes back to 2012. So I said, hey, it's been 20 years since this whole kind of kicked off, 2002, I guess technically 2023. This happened right in the middle. So when someone searches for their, and this is literally a screenshot from my web browser, when they search for this dealership, the link for their website is at the bottom of the page. That's the fourth on the list. The first three, the first two are FTC rulings. And I'll tell you, if you're in my world, like in IT, cybersecurity, anything slightly related, if I see that, I'm probably going to close that tab and start looking for a competitor. Others may actually click to actually read some, but that just doesn't bode well when your top research results are your FTC filings against you for losing 95,000 records, just a bad day. And I have a small background in web design and marketing from eons ago. But I have very close friends that are in marketing that work in that space. And many industries have several friends that work at various companies that if you were at AED Summit, they were on the exhibit floor and they are focused, just like we're focused on only doing IT and cybersecurity for dealerships. They're focused on doing marketing for you folks, digital, offline, et cetera. And I don't know how difficult it would be to, I imagine it's pretty difficult to put in a campaign that's going to help get these FTC links onto the second page of Google results. I just imagine that's going to be a little bit difficult to do. So just remember there are consequences in a lot of different forms when it comes to having a data breach. All right. I think we've beat that horse enough. So let's move on to the second example. And this one's a bit quicker. Really, the second example is a lot more recent. In fact, they just started releasing some notes about it in the last couple of weeks, in fact. And so the thing I want to key in on the second example is the scope. The scope of the ruling. And I'll tell you what I mean about that. But the story is about a company called Drizzly. And so Drizzly is basically the Uber Eats of the alcohol industry. So if you want a drink and you want an alcoholic beverage, you can go on their site, their app, whatever, you can order it, it's dropped off at your front door. In fact, all jokes aside, they were bought by Uber. So there they are. Without getting into the technical how their breach happened, basically some people did get into their systems and basically grabbed 2.5 million records of personal data for customers. All right. So that's a thing, right? So it happens, right? Well, what's unique about this? What's special about it? What's special about it, in my mind, is the message the FTC is trying to get out right now and some of the things the FTC is now doing. So the dealership we just talked about. Dealership had issue. Dealership had a case against them. FTC had a ruling against the dealership, against the organization. Okay. What happens with Drizzly is FTC has a case against Drizzly, rules against Drizzly, but they also ruled against the CEO. And that was a first. So from their press release, the next three slides, you can find this on FTC.gov. Just Google search FTC and then Drizzly, D-R-I-Z-L-Y. Told me a couple of times to get that right. But here on the quote, our proposed order against Drizzly not only restricts what the company can retain and collect going forward, but also ensures the CEO faces consequences for the company's carelessness. CEOs who take shortcuts on security should take note. And I'm taking note of the time, so I'm going to speed up a little bit here. The next one is orders commendable marks a meaningful step forward in our data security enforcement. Naming the CEO who oversaw these practices helps ensure the corporate leadership must take seriously their obligation to safeguarding customer information. And then finally, today's action, and this is the chair and another commissioner of the FTC, should put other market participants on notice. Finally, holding individual executives accountable, as we also do here, can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations. Takeaway from here is they ruled against the organization. They ruled against the CEO. They're not just limiting the scope to CEOs. If you're over this area of the organization, over this consumer data, you're in the target. And the key thing against the CEO was basically, you know, he's sold, he's exiting. Maybe he's going to go live on a beach in Fiji. Maybe he's got some more, you know, some more ideas in him, and so he's going to work with another organization, advisor, board member, executive, whatever. But the FTC says all these things that we say that Drizzly now has to have in place, similar things to that dealership, you as a CEO, if you get involved with any other business in these type roles, those businesses now have to have these in place, and we need to know about it. So I would imagine if a CEO came to you and said, hey, I want to advise your company. I want to be involved. I sold my company to Uber for millions. You're probably like, hey, that's great. Let's get involved. I'd love to have you on board. But when they say, so the FTC is going to know about this because this other thing happened while I was there, and here's a list of the things that now you're going to have to do if you want to bring me on board. It's a little bit less likelihood, unless you've got your house in order already, that you're going to want to take that risk. It's going to limit their options moving forward. That said, the last quote I'll give you, this is actually from Brett Davis, worked at CNH. He posted an article in Equipment Leasing and Finance Association on their website. The title, I took it a little bit out of context, but the title was data comes from somewhere, so let's protect it. The way I like to read this is, listen, the data that we use in our company day to day, it comes from somewhere. It comes from our families. It comes from our friends. It comes from our peers in our community. It came from somewhere. It came from someone. Essence, it is about someone is someone. So, hey, let's do the things that we need to. Let's do the needful to protect that information and keep it secure. Again, I realize I've gone long, but Karina is here for some questions. If you have some questions and if we can't take them all, that's fine. We can handle them offline and get the answers to you. I'd be happy to do that as well. So, if you want to stick around, Karina, I'll be here as long as people want to hang out. So, if you have a question, you're still with us at this point, far away, can we get a copy of the slide deck? Do you want even better, again, that cheat sheet, it's got a lot of the same information that's in the slide deck. And so, yeah, we'll be getting that information to you. And if there's some information, listen, you don't even have to reach out to me and go through Carina. So, you don't even have to talk to me. But if there's something in that document that is missing that you're hoping was there, just communicate it through her, reach out to me directly, and I'd be happy to get whatever further details you need. Does that work? Sounds good. Anybody else? While others may be wanting to put a question in, I will say, share with you, I mean, so, if you have a question, please go ahead and share it. But a couple of things, again, we'll be sending through Carina the cheat sheet document about the FTC safeguards rule. It'll point back to a lot of, directly point back to a lot of the FTC's own writings about the subject. Also, she'll be providing you a recording of this session, if you need to review it yourself or you need to share it internally with your folks. So, those are coming after the presentation. And then lastly, listen, again, this is a world in which we live in, and we have a personal mission. Our personal mission is to serve and protect a million dealership team members. Now, that sounds lofty, and I'm not saying a million dealers, because there aren't that many out there. But in doing that, that doesn't mean that we work with them. That means, in some way, we're doing things like this, where we're providing education opportunities so that they are, they leave better than they came, more equipped than they came, regarding whatever subject we're talking about. But also, with cybersecurity audits, we do, we do paid audits, okay? We do those with our customers on a recurring basis, like things that we outlined in the presentation. We also do them one-offs with companies that come to us that are having cybersecurity events. That said, we use a third-party company that we actually leverage on our own company so that we're not proofreading our own work. And so, there's a third-party company we work with that does that. We have worked with them and have them waiving their fee for running the assessments. We're waiving our fees. There's no sales pitch. It's literally, if you'd like a free audit, we're happy to give it to you for attendees here. We did the same thing for attendees at Summit. And the goal here is simply this. With the cheat sheet and some other info about the safeguards, and then with going through a cybersecurity vulnerability assessment, we can give you real-world idea of where your dealership is vulnerable. And then you can take that information, never talk to me ever again. And basically, use that information, line it up, and see, hey, where are the places where we're good and we just need to document some things, and where are some places where we're vulnerable today and we need to go in and tighten up our ship? And anyway, that's the goal there. Karina, any other questions that you see come in? And sorry, you can see it on the slide, but rocketwise.com slash AED. Just go there, sign up, and myself or someone on our team will get you scheduled and taken care of. All right. Well, Karina, I'm going to hand it over to you if you want to close it out and take from here. Yep. Thank you. Thank you, everyone, for attending. All right. Have a great day.
Video Summary
In the webinar, Kevin Landers from Rocketwise discusses the FTC safeguards rule, which is designed to protect the security, confidentiality, and integrity of customer information. The rule applies to financial institutions, including automotive dealerships. The webinar covers the nine elements of the rule that need to be implemented, including designating a qualified individual responsible for the program, conducting risk assessments, applying controls, validating controls, developing training and auditing programs, monitoring service providers, implementing a continuous improvement cadence, documenting an incident response plan, and providing annual reports to senior leadership. Landers gives examples of companies that have faced consequences for failing to comply with the safeguards rule, including fines and prison time for individuals involved. He emphasizes the importance of data security and the potential impact of a breach on a company's reputation and customer perception. Landers also offers a free cybersecurity vulnerability assessment to attendees of the webinar to help identify areas of vulnerability and tighten security measures. Ultimately, the purpose of the webinar is to educate automotive dealerships on the requirements of the FTC safeguards rule and encourage them to take steps to ensure the security of customer information.
Keywords
webinar
FTC safeguards rule
customer information
financial institutions
automotive dealerships
controls
training programs
incident response plan
data security
cybersecurity vulnerability assessment
×
Please select your language
1
English