Does your data security strategy protect against spear phishing?

Published on


Auto dealers are mandated by state and federal law to protect the non-public private information of their customers such as email addresses, mailing addresses and financial information. Much of this data is maintained in a dealer’s management system or DMS. Many technology vendors access that data for different purposes, some by pulling data from the DMS and some by accessing only that data that the dealer pushes to them from the DMS. The National Automobile Dealers Association (NADA) has recommended that dealers do not permit vendors to pull data from the DMS. Instead, NADA recommends providing vendors with only the data that the dealer selects to push to the vendor, thereby maintaining control of the universe of data to which the vendor has access. In fact, in January of last year at the annual NADA convention, the NADA issued an addendum to the dealer data guidance it released the prior August, which included a sample agreement dealers can issue to their technology vendors, particularly those that require access to the dealership’s data.[1] It’s important to note that this agreement is intended to comply with federal law only. The state or states in which you operate may have laws that broaden your data protection obligations or nuances that must be observed in developing such an agreement. So it’s important to have your attorney review any such agreement before you implement it.

But implementing such an agreement for your technology vendors is merely one step in protecting customer data in an ever-changing industry. And protecting customer data is just one piece of a larger compliance program.  For example, protecting customer data and the confidentiality of dealership information requires an adequate social media policy and an adequate confidentiality agreement, developed after a comprehensive review of dealership sales and service operations and analysis of the way in which your dealership employees communicate with customers and potential customers. 

Even those steps may not be enough.  On May 13, 2015, the Boston Globe reported that your employees are the weakest link in your data security strategy, but not for the reasons you might think. It reported that phishing emails are blamed for several big data thefts in recent years, including the 2013 breach at Target Corp., which affected nearly 1 million consumers in Massachusetts alone. The newspaper also reported that during the first half of 2014, there were 123,741 unique phishing attacks worldwide, the most since the second half of 2009.[2]

Phishing techniques have become much more sophisticated, with hackers doing reconnaissance on their victims, targeting those in your organization that have access to confidential financial information or non-public, private information of customers. They cull data from the Internet and social media sites, such as LinkedIn, for tidbits of personal and professional information that can be used in making phishing emails look legitimate. They know where their victims work, whom they do business with, the names of their bosses, and email addresses. The tactic is called spear-phishing.

How do you protect against spear phishing? You have to educate your employees. Train your employees to watch for suspicious emails or require them to call the sender of the email to verify the information contained in the email. Consider adopting a policy that requires employees to forward even mildly innocuous emails to management or IT and to run a search on the email address or domain name to determine whether it is legitimate. Consider prohibiting employees from responding to any such emails with personal or company information, passwords, customer information or financial information of the dealership in response to any such emails. As part of this policy, you might consider directing IT to block domain names once it receives a suspicious email from an employee.

Forewarned is forearmed. Data protection is a complicated compliance area that should not be attempted without the assistance of a knowledgeable automotive attorney. For assistance in developing a comprehensive data protection strategy, contact a knowledgeable automotive attorney.

[1] Source: NADA Adds Guidance for Dealers about Data, February 4, 2014.

[2] Source: For hackers, people are an IT system’s weak link, Globe Staff, May 13, 2015.