Is your dealership located in one of these 20 states? If so, pay attention.

The California Consumer Privacy Act (CCPA) may be the first comprehensive data privacy law in the U.S., but it certainly isn’t the last. Since its passage,19 additional states have introduced and/or passed similar laws, or have amended their current breach notification laws to either expand the definitions of personal information, or to include new reporting requirements.

The purpose of these new privacy laws is to require businesses—which include the majority of auto and heavy truck dealerships—to provide consumers with control over their personal information; including the right to know what data is collected, whether that data is sold and/or shared, the option to opt out of those sales or sharing, and the right to access and/or delete their data.

Some of these new laws aim to expand consumer rights through private right of action, which means that consumers have the right to sue if your business fails to adhere to the standards set forth in these new laws.

As of July 2019, here is a roundup of states with brief summaries of their legislation:

1. California. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. This law was intended to restrict the way personal information is used, stored and shared. Dealerships will be required to notify consumers about their data collection practices and allow consumers to opt out of having their data shared with third parties. The CCPA allows consumers to bring a private right of action (a.k.a. lawsuit) against a dealership if they are a victim of an unauthorized breach of non-encrypted personal information.
2. Colorado. The Colorado Consumer Protection Act (CCPA) was passed in the spring of 2019. This law makes it easier for the attorney general’s office to pursue deceptive practices. Prosecutors no longer have to prove that a business acted maliciously towards consumers, or that bad practices must cause significant harm or impact before action being taken. The law also increases the maximum violation a business can be ordered to pay from $2,000 to $20,000.
3. Hawaii. SB418 is modeled after the CCPA, but has an even broader reach since it does not define a business. The proposed law does not have a private right of action or specify any penalties, and the Office of Consumer Protection is tasked with enforcing the law.
4. Illinois. SB 1624 requires businesses to notify the Attorney General of breaches involving at least 500 Illinois residents.
5. Louisiana. Recent changes to the Database Security Breach Notification Law expands the definition of personal information and requires notice of a security breach to all affected Louisiana residents within 60 days. Additionally, all businesses must maintain “reasonable security procedures and practices” to protect personal information. When consumer data is no longer retained for business use, reasonable steps must be taken to destroy it.
6. Maine. Passed in June, 2019 An Act to Protect the Privacy of Online Customer Information currently only applies to broadband Internet service providers (ISPs).
7. Maryland. The Online Consumer Protection Act is modeled after the CCPA but with more expansive consumer rights to opt-out of the sharing of any personal information to third parties. However, during the 2019 General Assembly session this bill was postponed indefinitely.
8. Massachusetts. An Act Relative to Consumer Data Privacy has even stricter standards than the CCPA. Similar to Maryland’s bill, it expands consumers’ rights to opt-out of the sharing of information with third parties, and completely prohibits the sharing of information of minors under the age of 18. It also allows a private right of action for any violation of the law. This bill takes effect January 1, 2023.
9. Mississippi. The Mississippi Consumer Privacy Act was almost a replica of the CCPA, but the bill died in committee in February, 2019.
10. Nebraska. LB757 requires all businesses that collect Nebraska residents’ personal information to implement and maintain reasonable security procedures and practices, including safeguards for the disposal of personal information.
11. Nevada. SB 220 is modeled on the CCPA with only a few deviations, but applies only to owners of Internet websites and online commercial providers. The law does not allow private right of action.
12. New Jersey. A-4902 is similar to CCPA, but focuses more on the disclosure of personal identifiable information (PII) to third parties. Currently the bill applies only to owners and operators of commercial Internet websites and online services.
13. New Mexico. The Consumer Information Privacy Act is modeled after the CCPA but has a broader scope due to shorter and more general definitions of the terms “business,” “consumer” and “minor.” However, this bill has been postponed indefinitely.
14. New York. SB-S224 is even broader than CCPA in that the CCPA only allows private right of action for failing to take reasonable measures to secure data. The New York bill expands private right of action to additional violations such as the failure to act on a customer’s request to delete information. This means dealerships could potentially be faced with hundreds of lawsuits from consumers. The law is expected to pass in 2019.
15. North Dakota. House Bill 1485 is not as strict as the CCPA, but it does prohibit the disclosure of personal information to third parties without written consent from a consumer. However, this bill has been replaced with a legislative management study with findings expected to be reported in 2021.
16. Ohio. The Data Protection Act differs from the CCPA in that it provides protection against lawsuits for businesses, even in the event of a security breach, as long as the business can provide proof that it took “reasonable measures” to protect consumer data.
17. Oregon. The Consumer Information Protection Act requires businesses and vendors of businesses to notify all “covered entities,” as well as the Attorney General, within 10 days of discovering a security breach, if the breach involves more than 250 consumers or if the number of individuals affected is unknown.
18. Rhode Island. The Consumer Privacy Protection act is modeled after the CCPA, but as of April 2019 the bill is being held for further study.
19. Texas. Effective January 1, 2020, the Texas Identity Theft Enforcement and Protection Act law will require businesses to send breach notifications to affected individuals no later than 60 days after identifying the breach, as well as to the Attorney General, provided that the breach impacts at least 250 Texas residents.
20. Washington. The Washington Privacy Act is modeled after both the CCPA and the European GDPR, but does not give consumers a private right of action. The bill failed to pass in April but it’s currently in the state senate, where it has a chance to be amended.

In the next few years, expect this list of states to grow longer as well as new legislation that expands the scope of these bills. Don’t assume dead bills will never be resurrected.

It’s also important to note that there’s growing support for federal data privacy legislation. Proponents argue that the current system, with each state having its own data privacy laws, is too confusing. Several bills have been introduced to Congress by lawmakers, but so far none have passed. It’s uncertain whether federal legislation will supersede state laws.

Erik Nachbahr explains why dealerships shouldn't neglect their IT solutions in this video blogs. 

Dealers, do your computers still run the Windows 7, Windows XP, Windows Vista or Windows 2003 operating systems? Do you have a Windows Server 2008? Be aware that your machines are vulnerable to a new type of malware called BlueKeep that’s seeking to infect thousands of computers and could be more destructive than the WannaCry ransomware outbreak of 2017.

Microsoft released a patch in May to fix the vulnerability; however, close to a million computers and servers in the U.S. are still unprotected. The potential harm is so great that the National Security Agency (NSA) and the U.S. Department of Homeland’s Cybersecurity and Infrastructure Security Agency (CISA) have joined forces with Microsoft to issue warnings and raise awareness.

BlueKeep is a remote code execution vulnerability, which basically means that if your computer and/or server is connected to the Internet, it’s vulnerable to being affected by this “wormable” malware, meaning it can spread from a single infected machine to every other computer in your network.

Not only that, but those computers can then infect other devices they’re connected with, rapidly spreading the bug to business networks and residential computers across the U.S. and other countries.

Once a computer is infected with BlueKeep, it allows hackers to exploit the affected machines by installing viruses and malware such as ransomware.

The BlueKeep vulnerability could be used to launch cyberattacks on the scale of 2017’s massive WannaCry attack, which infected more than 200,000 computers with ransomware and cost companies billions of dollars.

To protect your dealership from being infected by BlueKeep, be sure to install Microsoft’s most recently released operating system patch.

Better yet, upgrade to Windows 10 OS, which is automatically updated with the most recently released security patches. Computers with Windows 8 and Windows 10 operating systems are not vulnerable to the bug.

If you’re still using Windows 7 but reluctant to upgrade, you should be aware that beginning in January 2020, Microsoft will discontinue support for the old OS and so you’ll be forced to upgrade at that point anyway. May as well do it now.

But in the meantime, patch your computers and servers, because BlueKeep is out there, actively searching for vulnerable machines to infect.

Cybercriminals are becoming more sophisticated and aggressive in their attempts to breach business networks. The BlueKeep threat could potentially shut down your dealership’s operations and cost thousands, if not millions of dollars, to remedy.

A multi-layered approach to network security is highly recommended; as well as proactively keeping abreast of all the latest threats, and methods for protecting against them.

In this video blog, Helion Founder & President Erik Nachbahr shares how dealers can resolve circumstances in which they have vendors blaming other vendors for IT issues. 

Is your dealership still using the Windows 7 operating system? As of January 2020, Microsoft is discontinuing all support for Windows 7, which means they will no longer be releasing security updates. If you haven't upgraded to Windows 10 by January 14, 2020, your dealership will be highly vulnerable to attacks from cybercriminals.

This event is similar to when Microsoft retired Windows XP in 2014. Within just a few months, cybercriminals developed dangerous exploits such as malware and viruses that specifically targeted businesses running Windows XP.

Unfortunately, upgrading to Windows 10 isn't as simple as installing new software. In most dealerships that I've seen, the computers running Windows 7 are almost as old as Windows 7 itself. In order to upgrade to Windows 10, you'll also have to upgrade your PCs. Older PCs simply do not have the processing speed necessary to run Windows 10, let alone all your other software applications.

When you start upgrading your PCs, a domino effect starts. Because Windows 10 requires more bandwidth, and your new PCs will be sending and receiving larger data packets, it's very likely you'll also have to upgrade your network switches, WiFi routers and possibly servers.

Many dealerships have small IT teams or even a single IT employee. Sometimes that person is a friend or family member of someone who works in the dealership. If this describes your situation, an upgrade of this magnitude could prove to be a nightmare and major disruption to your business. You might want to consider outsourcing or hiring a temporary IT team to help you with this task.

Another reason to upgrade to Windows 10 sooner rather than later is because of new consumer privacy and data security laws that take effect in 2020. If your dealership resides in a state that has recently passed one of these laws, continuing to use Windows 7 means that you'll be in violation of these new laws.

If your dealership resides in California, Washington, Alabama, Louisiana, Colorado, Nebraska, Ohio or Massachusetts, make sure you're aware of state requirements. If your state is not among those listed, you're not off the hook. Keep checking, because more state legislatures will pass similar laws soon.

To ensure your dealership is safe from cyberattacks, act quickly. As of January 2020, cybercriminals worldwide will be actively targeting businesses still running Windows 7.

Helion Technologies Founder & President Erik Nachbahr shares some tips on what dealerships should be looking for in an IT solution for their dealership.

Timonium, MD –­ May 21, 2019 –­ Helion Technologies today announced it has become a CIS SecureSuite® member. Through this membership, Helion is bolstering its auto dealership clients' cybersecurity defenses by leveraging CIS SecureSuite resources. The CIS Benchmarks™, the consensus-based, internationally recognized security configuration resources, CIS-CAT Pro, and the CIS Controls™, a set of cyber practices developed by global experts, all help to protect an organization against pervasive and dangerous cyber-attacks.

“We are pleased to add our new CIS SecureSuite membership to our already robust cyber defense toolbox,” said Erik Nachbahr, president and founder of Helion. “CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA, and other security requirements."

“We welcome Helion Technologies as a CIS SecureSuite member, and look forward to collaborating with them to help enhance their clients' cybersecurity posture,” said Curtis Dukes, CIS Executive Vice President Security Best Practices & Automation Group.

CIS’s SecureSuite membership provides members with tools for measuring information security status and resources for making informed security investment decisions. Members include organizations from virtually every industry sector and every size, ranging from independent consultants to Fortune 500 companies. Recent upgrades to CIS’s CIS-CAT Pro tool now provides SecureSuite members a dynamic view into their system’s conformance with the CIS Benchmarks and how it maps to the CIS Controls over time.

The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.

Helion's Nachbahr, along with several other Helion team members, have also secured Certified Information Systems Security Professional (CISSP) certifications. The CISSP is an independent security certification granted by the International Information System Security Certification Consortium (ISC).

For more information about Helion or for a free security risk assessment, call 443-541-1500 or visit https://heliontechnologies.com/.

About Helion Technologies

Helion Technologies is the largest managed IT services provider focusing specifically on the needs of automotive and heavy truck dealers. Helion's solutions ensure faster networks, secure data protection, increased employee productivity and better compliance. Helion has specialized in IT for more than 20 years and works with 700+ auto dealers nationwide. Dealers can request a free assessment of their IT needs at www.heliontechnologies.com.

About CIS

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened Images™ are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center™ (EI-ISAC™), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices.  To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.

Consumer data privacy concerns are constantly in the news. Growing pressure on lawmakers to do something has resulted in a wave of new consumer privacy legislation being passed in many states.

California has passed the California Consumer Privacy Act (CCPA). A similar law is expected to soon pass in Washington state. Alabama, Louisiana, Colorado, Nebraska, Massachusetts and Ohio have recently added new data security standards to their data breach notification laws. You can bet that other states will follow suit.

These laws require that businesses take “reasonable measures” to secure consumers' personal information, such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The definition of "reasonable measures" varies from state to state, but all of these laws highlight the importance of protecting your customer data. For most dealerships, becoming compliant with these laws is likely going to require upgrades to software, hardware and data security equipment, as well as the implementation of new policies and procedures.

Recently, the California Attorney General defined “reasonable measures" as compliance with 20 controls established by the Center for Internet Security. In a nutshell, if your dealership is located in California, you'll be responsible for the following:

1) Inventory and control of hardware assets

2) Inventory and control of software assets

3) Continuous vulnerability management

4) Controlled use of administrative privileges

5) Secure configuration for hardware and software on mobile devices, laptops, workstations and servers

6) Maintenance, monitoring and analysis of audit logs

7) Email and web browser protections

8) Malware defenses

9) Limitation and control of network ports, protocols and services

10) Data recovery capabilities

11) Secure configuration for network devices such as firewalls, routers and switches

12) Boundary defense

13) Data protection; encryption, integrity protection and data loss prevention techniques

14) Controlled access to data based on the need to know

15) Wireless access control

16) Account monitoring and control

17) Implement a security awareness and training program

18) Manage the security life cycle of all web-based or application software

19) Develop and implement an incident response infrastructure and management plan

20) Penetration tests and red team exercises to test strength of defense

Is your dealership taking all of these "reasonable measures" to protect your data from the threat of cyberattacks? If not, you might be subject to fines from your state attorney general's office and/or litigation from consumers.

When it comes to protecting consumer data, dealers can no longer afford to do business as usual. If your state hasn't already updated its data breach notification law or passed a consumer privacy law, it soon will. It's up to every dealer to learn what their state's data security requirements are, and proactively take steps to become compliant.

Learn how to protect your customer data, bank accounts & reputation

Wednesday, May 15 at 2 pm EST

Timonium, MD –­ May 2, 2019 –­ Helion Technologies is offering a free online webinar titled "Cyber Criminals are Targeting Your Dealership! Are You Prepared?" In this presentation, Helion's President and Founder Erik Nachbahr explains how cyber criminals are successfully attacking dealerships, and shares technology, process and training protocols that dealers can implement to protect their customer data, bank accounts and reputation.

The webinar is scheduled for Wednesday, May 15 at 2 pm EST.

"A dealership with 600 employees recently ran a baseline test of its employees with a simulated phishing attack, and 87% of the employees clicked on the email link. That's an incredibly high number and indicates just how vulnerable dealerships are," said Nachbahr. "The good news is, cyber attacks can be easily prevented with the right systems and procedures in place."

Many dealerships have fallen victim to sophisticated cyber attacks that target employees. Dealers make attractive targets for cyber criminals because they tend to have a lot of cash in their bank accounts and conduct a large number of electronic financial transactions.

Even when dealerships have secure firewalls and anti-virus software in place, they're still at risk. That's because 91% of data breaches start with a phishing attack. Phishing attacks rely on email to bait and lure employees into downloading viruses, uploading secure information or giving out login credentials to dealership systems.

Dealership personnel who attend this webinar will learn:

• Network and cloud technology solutions to help keep your dealership secure
• Internal human processes that reduce the risk of exposure
• How to provide employee security awareness training, which reduces the risk of a successful phishing attack from 27% to 2%

Helion's webinar is free to attend and is designed for dealership CFOs, dealer principals, general managers, controllers, department managers and CPAs.

Click here to register for the free webinar. For more information about Helion, call 443-541-1500 or visit https://heliontechnologies.com/.

About Helion Technologies

Helion Technologies is the largest managed IT services provider focusing specifically on the needs of automotive and heavy truck dealers. Helion's solutions ensure faster networks, secure data protection, increased employee productivity and better compliance. Helion has specialized in IT for more than 20 years and works with 700+ auto dealers nationwide. Dealers can request a free assessment of their IT needs at www.heliontechnologies.com.

Timonium, MD –­ April 30, 2019 –­ Helion Technologies has partnered with the California New Car Dealers Association (CNCDA) to educate dealers on how to comply with the California Consumer Privacy Act (CCPA). The sweeping new privacy law takes effect in January 2020, imposing new data security standards on dealerships located in California, as well as third-party vendors that access and/or store customer data from these dealerships.

In a nutshell, the CCPA requires businesses to implement "reasonable measures" to protect consumers' personal data. The CA Attorney General defines “reasonable measures" as compliance with 20 controls established by the Center for Internet Security.

"For most dealers, compliance will require significant upgrades to their software, hardware and data security equipment," said Erik Nachbahr, president and founder of Helion Technologies. "Additionally, dealerships will need to implement internal processes designed to keep data safe, and provide their employees with security awareness training."

"CNCDA is excited about our new partnership with Helion and the technical expertise they will bring to our members. We are committed to supporting the necessary outreach and critical education so that California dealers better understand the legal requirements of the CCPA, as well as the most cost-effective ways to keep their dealerships in compliance," said Brian Maas, president of CNCDA. "Helion's knowledge in data security and technology will be enormously helpful to our dealer members as they navigate bringing their networks up to CCPA standards."

The CCPA applies to any business that meets ONE of these requirements:

1) grosses $25 million or more in revenue

2) buys, sells or shares personal information for 50,000 or more consumers

3) derives 50% or more of its revenues from selling consumers' personal information

Many dealerships meet the first two requirements. In addition to dealers, the CCPA applies to third parties located outside of California. This means that auto manufacturers, dealership management software (DMS) vendors, CRM vendors, marketing vendors and any other entity that dealers share their customers' personal information with, must also comply with the new law.

The CCPA gives more rights to consumers related to how dealerships may collect and use their information. Once the laws take effect, upon a request from a consumer, dealers will be required to:

• Correct inaccurate consumer data
• Delete the consumer's personal data unless it's necessary to do business, as well as delete all of their data from the databases of third parties with which you've shared such information
• Restrict processing or sharing of information if the consumer objects to its usage for reasons not related to the purpose for which it was collected; such as usage in direct marketing
• Allow customers to easily opt-out of having their personal information sold to a third party

Dealerships are also required to proactively provide full disclosure to consumers about what their data is used for, who it gets shared with and for what purpose, at the time said data is collected.

Non-compliance may result in fines and a flood of litigation from consumers.

For more information about Helion, call 443-541-1500 or visit https://heliontechnologies.com/.

About CNCDA
 

For more than 95 years, CNCDA has represented the interests of California’s franchised new car dealers. CNCDA members are primarily engaged in the retail sale and lease of new and used motor vehicles, but also provide customers with automotive products, parts, service and repair.  Our members sold more than 2 million new cars and trucks in 2017 and employ more than 140,000 Californians, significantly contributing to our state’s economy. As the nation’s largest state association of franchised new car and truck dealers—with nearly 1,200 members—CNCDA serves its members by providing legal compliance and legislative, regulatory and legal advocacy. For more information, visit www.cncda.org.

About Helion Technologies

Helion Technologies is the largest managed IT services provider focusing specifically on the needs of automotive and heavy truck dealers. Helion's solutions ensure faster networks, secure data protection, increased employee productivity and better compliance. Helion has specialized in IT for more than 20 years and works with 700+ auto dealers nationwide. Dealers can request a free assessment of their IT needs at www.heliontechnologies.com.