Nearly 60 million Americans have experienced identity fraud, and much of that fraud comes from information stolen during data breaches. In fact, 31.7 percent of breach victims later experienced identity fraud, compared to just 2.8 percent of individuals not notified of a data breach. Consumer complaints about car loan and lease identity theft were the 6th most common identity theft complaint in a Federal Trade Commission report. While most would immediately think of cybersecurity breaches as the starting point for identity theft, this perception is leaving a gap in many business’ security programs, including those of auto dealers. While cybersecurity is a very real threat that dealers must consider and prepare for, physical information security is a problem that often lacks awareness, and therefore lacks a system in place for protection.

Dealerships are open to the public, creating a physical information security risk as anyone could walk right through the door. Auto dealers are also at a heightened risk due to the significant amount of physical paperwork that is created and passed through a dealership daily including loan applications, contracts, credit reports and so much more. With four in 10 (40%) consumers reporting they would stop doing business with a company or brand if the company previously suffered a security breach, it’s critical for auto dealers to disclose their privacy and information security policies to customers to reinforce that the dealership will keep their information safe. What’s more, dealerships must train their employees and enforce strict adherence to the information security policy. 

However, trust isn’t the only reason that dealerships must share information about customer privacy. Auto dealers are considered to be financial institutions as they offer financial services such as loans, so they must be compliant with a variety of financial laws including the Gramm-Leach-Bliley Act. This requires businesses to notify customers about the information they collect, who they share it with and how they protect that information. If dealerships aren’t already, they should be including physical information security in the privacy information they share with their customers.

Let’s take a look at how dealerships can put better physical information security practices in place to create a long-term strategy for keeping customer data safe.

Understanding Which Documents Should Be Discarded

The first step to creating a physical information security policy at dealerships is understanding what information should be discarded and how to discard it in order to protect customer privacy. There are numerous documents that auto dealers possess, and some that are more obviously confidential than others. For example, documents including social security numbers, financial statements, driver’s license numbers, loan applications and credit reports should always be shredded – not simply tossed in a recycling bin.

One way to ensure that you’re actively protecting this information and preventing data breaches at your dealership is to create a policy to shred all documents no longer in use. With this policy, employees don’t need to decide what information is or isn’t confidential and it simplifies the document disposal policy for everyone.

Once you have this policy in place, it’s time to cover the full suite of physical security risks at your dealership and ensure employees understand how to take care of documents that are still in use.

Creating a long-term strategy for protecting customer data

With over 60 percent of small businesses in North America reporting it took their business more than six months to recover from a breach, and some saying they never fully recovered, information security policies have never been more important to your dealership’s livelihood. There are various processes that should be included in your information security policy to create well-rounded protection for your dealership including digitization, decluttering, document retention and employee training.

Create a clean workspace

The more paperwork that’s left out on a desk or in plain sight, the higher the risk of it being compromised. You can work to declutter employees’ desks by creating a clean desk policy for all employees and start with a one-time document purge to create a clean space. With this policy, dealership owners should ensure employees plan their day by organizing documents first thing in the morning, clearing their desk before attending a meeting or taking a break, and filing, locking up or shredding documents at the end of the day to protect sensitive information. Having a desk clear of confidential documents will also preventing visual hacking, or information stolen through photos or pure memorization of what a thief sees.

Use the one-in-one-out rule

This process helps dealership owners figure out when to get rid of certain documents. If there is a new version of the document available, you should get rid of the original version to decrease risk of stockpiling and misplacing paperwork. Additionally, developing a retention schedule for documents can aid this process by determining which documents should be kept for a day, a month, a year or longer.

Employee training and reinforcement

Only 28 percent of small businesses train employees on keeping sensitive information out-of-sight when working in a public space – such as a dealership. In a similar vein, 51 percent of small business owners admit that employee negligence is one of their biggest information security risks, pointing to the need for more employee training in the workplace. While there are various engaging ways to train employees on physical information security in the workplace, reinforcement and rewards are a secondary step dealerships can put in place to further protect from employee negligence. For example, sending out emails or placing signs around the dealership to remind employees of new policies, and recognizing employees with a secure employee of the month program, can help keep employees in check when it comes to information security policies.

Combining employee training with decluttering and regiments for destructing documents, you can mitigate the information security risk that comes along with operating a dealership.