Continued from previous page         to implement the safeguards necessary  9, 2022). Again, NADA has a sample
        and the chair – in other words, your own  to protect customer data. Third, you  Incident Response Plan in its Guide. It’s an
        employees. Therefore, all your employees  must “periodically assess” your service  excellent starting point.
        must  receive security  awareness  training.  providers with respect to this obligation.
        This can include basic Safeguards training,  Fourth – and this is new – you must   DRAFT ANNUAL REPORT
        as well as phishing simulations and testing.  monitor your  service  providers  on
        Such training should occur at initial hiring  an ongoing basis to verify they are  As if the foregoing is not enough, there
        and repeated at least annually thereafter.  maintaining adequate safeguards. This  remains one more annual task: the written
                                             does not mean “continuous” oversight, but  annual report. The QI must prepare this
        In addition to this standard employee  it must be regular. This last obligation is  for the dealership’s board of directors
        training, your QI and IT personnel  potentially overwhelming. Fortunately,  (if there is one) or senior management
        (including appropriate service providers)  there is software that can accomplish the  (if there isn’t). The annual report should
        need ongoing training to remain current on  task relatively inexpensively. Whether  memorialize the effectiveness of the
        evolving threats and security developments.  you must actually audit service provider  Information Security Program, any
        Because the occurrence  and effectiveness  compliance is not yet clear.   security events and the dealership’s
        of this training must be verified, archived                               response, the status of service provider
        testing should be a part of the process.  DRAFT INCIDENT                  performance, the status of service provider
                                                   RESPONSE PLAN                  agreements, the results of any testing, and
             OVERSEE SERVICE                                                      any recommended changes to improve the
                  PROVIDERS                  What do you do in the aftermath of a  Program.
                                             “security event” – anything that results
        There are four subparts to this requirement.  in unauthorized access to or misuse of an  That’s a lot, and that’s just the blueprint.
        First, you must take reasonable steps to  IT system and its contents? The answer to  But blueprints aren’t completed projects
        select service providers that are capable  that question must be set forth in a written  – they’re just the instructions. Once you
        of  adequately  protecting  customer  Incident Response Plan, and it must be  understand the blueprint, you understand
        data. Second, you must obligate your  accomplished before the security event  the scope of the project. Now you just
        service providers by written contract  occurs (and certainly before December  need to put it out to bid! n









































                                                                 Mobile Dealer






        8  |  MSIADA MISSISSIPPI DEALER Q4 2022