Too often dealers focus on technology tools and forget about the basic “best practices” that can make or break the business.  When it comes to the obligation to protect a customer’s personal information, it’s the failure to pay attention to the details that can get you in trouble. Use this guide to ensure that your customers’ sensitive personal information and your critical business data are protected.

Security of facility

The layout of the dealership presents lots of ripe opportunities for the compromise of information. Thought should be given to what type of information is handled by employees that interact directly with the public, thus increasing the odds that visitors will be in proximity to documents they shouldn’t see. Every dealership should have a “clean desk” policy which prohibits sensitive information from being kept on a desk when left unattended, and employees should have access to locked drawers and file cabinets in which to store papers when stepping away from the desk.  

Consider whether all employees should have access to the entire facility, or whether access can be restricted by job description so that employees aren’t free to enter areas where they have no reason to go.  Sale’s personnel don’t have much of a reason to have unfettered access to the collections department, nor would collections personnel have reason to freely walk through the accounting office.  In a smaller dealership, it may not be practical to restrict access so it’s important to consider proper placement of personnel and the other measures discussed herein.

Are there written policies and procedures in place to limit the access of third-party vendors such as delivery personnel, repairmen and other service providers?  Are they required to physically sign in and out when they come and go?  Are they escorted back to the work area and supervised, or are they left to wander around the facility? What kind of due diligence is done to investigate these vendors? 

Don’t choose convenience over security. They are both important. Put copy machines, fax machines and scanners behind locked doors. Put good shredders next to every waste paper basket. These are simple steps that can eliminate problems.

Build a culture of security

Employees are probably the biggest point of vulnerability for a dealership so conduct robust pre-employment screening to make sure your future employees are trustworthy.  Have all employees sign a confidentiality agreement that sets forth how they are to handle confidential information and restricts their use of such information in any capacity. Test the employees at least annually on their confidentiality obligations and, upon separation, provide them with a copy of the signed agreement and remind them of their obligations.

Make sure to have an employee handbook that has sections dealing with information security, and have a strong training program that includes education on security concerns and then test every employee on those standards and then document the results in personnel files. “Hot button” issues that should be referenced in these training materials include:  What are the company policies regarding use of thumb drives, camera phones, and any other portable devices?  Are employees allowed to access the internet while at work and, if so, is access restricted to certain sites?  Are employees allowed to access their personnel email accounts while at work?  Are employees allowed to email company information to their personal email accounts? Can employees download data, reports or customer information to portable devices such as tablets and phones? Consider these types of issues because your employees can literally carry your business in their pockets.

Dealerships are vulnerable to an information breach upon the separation of an employee so have a sophisticated separation process that is systematic, routine and applied consistently no matter the job description.  Critical items should include a list of all parties that should be notified of the exit; list of all systems and programs to which employee has access; list of company property in their possession; disable system access and recover keys and badges; delete or redirect accounts, including VPN, network, email and voicemail.  Additionally, remember to provide the exiting employee with a copy of the confidentiality agreement they signed during their employment and remind them of the serious consequences of any breach.

Make technology secure

You’ve bought all of this technology to protect your business, but make sure it won’t do you harm.  Check you have an appropriately sophisticated firewall for your business.  This will keep the bad guys out of your system, or at least it should.  Next, give thought to whether or not wireless access is provided.  A lot of dealerships provide it as a convenience to its customers and employees; however, outsiders can connect to your system and that can be dangerous so it may be a good idea to turn off wireless access outside of business hours. 

Consider installing tracking tools on mobile devices such as phones, laptops and tablets.  These allow for locating the device when missing, and can also be used to remotely wipe data from the device should the need arise.  Also, consider what type of information employees are allowed to store on a device.  Not all job descriptions are created equal.  Some are much more sensitive than others and deserving of more sophisticated encryption technology being placed on their devices.

Be sure to have policies and procedures related to employee use of email and the network. There should be a prohibition against using shared logins; each employee should have a unique username so that their activities can be identified and they can be held accountable.  There should also be an aggressive password policy that requires it to be changed on a regular basis, such as monthly or quarterly.   Have a policy that requires automatic screensavers after brief periods of inactivity, such as 10 to 20 minutes.  Again, it’s worth the small inconvenience to be assured that your computer stations won’t be open when employees leave their desks for extended periods of time.


The days of simply locking up the dealership at night are over. Take the initiative and examine not only the policies and procedures that govern information security, but also the practical aspects of how the dealership is run.  By attacking all three of these prongs, a dealer can put itself in the best position to make sure its information and customers are protected.

Steve Levine is chief legal and compliance officer of Sigma Payment Solutions and SecureClose. He can be reached at (817) 875-0621 or