If it’s from within the company, it can pose a quandary to dealers since some insurance policies will exclude coverage if it’s an inside job pulled off by an employee. Theft can occur by simply walking over to the filing cabinet and stealing someone’s personal information, including their social security number.
Federated offers a policy that covers owners individually for identity theft protection of their personal data. “We built in identity theft protection for them and also offer the ability to add data compromise coverage to cover data compromise of customers and employees,” West says. “You have exposure right inside your own business—our coverage picks that up as well, even if it was theft by an employee.”
Spruce Computer Systems, a Latham, N.Y.-based LBM software provider, has taken the stance of moving all stored information out of its software and essentially off the premises of its customers. In short, the dealer doesn’t get caught holding the bag if they’re not holding customer’s information onsite.
“We’ve created a relationship with the credit card processor—when the transaction is swiped, the transaction is encrypted at the pad and sent via encryption through the Internet,” says John Maiuri, vice president of marketing at Spruce Computer Systems.
Maiuri compares the process to the dealers who already have their data and information backed up or hosted offsite.
“The folks that are doing the processing are more at the leading forefront of security and technology,” Maiuri says. “You are moving the possible threat to the people who are responsible and can aggregate the cost.”
Looming on the horizon are big changes when it comes to credit card transactions, however. A chip and pin process takes effect in October of 2015 and will impact all who fall under the general retail category. Under new codes, liability for processing cards will shift from the processor to the merchant.
“So at that point, if you have data loss, you are 100% responsible for the loss along with penalties and fines,” Maiuri explains.
Some dealers have not taken an information breach lightly. “It could be just as devastating as a fire,” says John Howell, IT director at Shepley Wood Products in Hyannis, Mass. “And you don’t want that kind of publicity.”
Massachusetts witnessed one of the largest retail data breaches ever in 2007 when hackers stole data from nearly 48 million credit and debit card shoppers of discount retailer T.J. Maxx and its sister chain Marshall’s. The theft resulted in new state laws requiring retailers be responsible for all data breached.
Shepley has taken multiple steps to secure its information foundation—the company does not store any information in house but rather via a third-party provider. “It’s too big of a liability,” Howell says.