A dealer software firm has been censured after a breach of its data security.
Now Ivendi believes the action against DealerBuilt, a US dealer management systems firm, by America’s Federal Trade Commission, serves to remind dealers in the UK of the importance of data security.
Ivendi chief executive James Tew said: “It appears, from the FTC’s statement, that there were almost no proper security policies in place at all - no vulnerability scanning, no penetration testing and no other measures that would have detected the problem.”
DealerBuilt has just been censured by the Federal Trade Commission for failure to encrypt customer data alongside a range of other failings, leading to the hacking of the personal information of almost 70,000 customers in 2016.
“In this case, the company at fault has only been punished by putting in place a range of future measures surrounding security. It is difficult to see the Information Commissioner in the UK being as lenient.”
He said that the damage to the company and its clients was likely to be considerable from a practical and reputational point of view, given that in the case of a breach at a software firm the dealer clients would have to inform the end customers that their data had not been secure.
“Of course, in the UK, that kind of loss of data can also result in a fine of up to 4% of global turnover. That’s an amount that should concentrate minds.”
Tew said that iVendi believed a large number of dealers in the UK did not place sufficient emphasis on the security of customer data and that standards in the sector overall were too low.
“The security of customer data should be paramount but we see many cases where only the bare minimum standards are being enforced. Many dealers are storing tens of thousands of consumers records and identifiable personal information.
“Both the technology provider and dealer can be fined by the ICO in the event is a breach and negligence is proven, so even if dealers are satisfied with their own arrangements, they need to ensure that their digital partners are up to scratch.”
Tew said that the issue was generally one of cost – good data security was expensive, as Ivendi has experienced directly in running a full-time security department and gaining accreditations including ISO27001 and Cyber Essentials.