Data security is the focus of this month’s cover story. It was also the focus of a panel discussion at the American Financial Services Association’s 2015 Vehicle Finance Conference,  which was held in San Francisco last month, directly ahead of the 2015 NADA Convention & Expo.

The panel, “Protecting Your Customers’ Data,” included Tony Buffamonte, principal in KPMG LLP’s advisory services practices; Boulton Fernando, chief information security officer for Toyota Financial Services; Kristen Mathews, who heads up the privacy and data-security group for Proskauer Rose LLP; and Brad Miller, associate director of the National Automobile Dealers Association (NADA)’s legal and regulatory affairs department.

Much of the discussion centered on how finance sources can protect their data. But what brings that threat down to Main Street is the fact that dealers collect the same personal data finance sources spend millions to protect. That realization brought to mind a quote that appeared in a July 2011 cover story on Honda of Tenafly (N.J.).

“The one thing I don’t like about the Internet is that it nickel-and-dimes you,” said co-owner Norman Dorf. “I mean, we’re spending a fortune between all the different technology companies.”

I know Dorf wasn’t referring to data security when he made that statement, but according to the NADA’s Miller, it’s those expenditures that are putting dealers at risk today. “The No. 1 issue is, dealers rely so heavily on service providers,” he said, noting that 40% of the association’s 16,000 members are dealers who sell 300 or fewer vehicles per year — “folks that don’t have IT staff,” Miller added.

“[Dealers are] swimming in relatively deep water,” he said. “They try to hire competent service providers, but they need to monitor these folks.”

Miller was part of the team that drafted the 14-page data-security memo the NADA distributed in August 2013. It warned, among other things, that regulators such as the Federal Trade Commission (FTC) may consider third-party vendor access to transaction data stored in a DMS as “sharing,” which is prohibited by the Gramm-Leach-Bliley Act’s Privacy Rule.

And it’s guilt by association if one of your vendors gets hacked and the data it collects from you is compromised. “[Dealers] have really put a ring fence around what they’ve done internally, with the way data flows,” Miller said. “By necessity, you expose all of this to a bunch of third-party service providers. That’s what the federal government agencies have opened their eyes to.”

Now, if you haven’t conducted a little research on incident-response vendors, identity-theft companies and even public relations firms, you need to get on it. As the panel noted, you won’t have much leverage if you negotiate pricing and terms after you suffer a breach. You also need to develop a written policy detailing how your organization intends to protect your customer’s nonpublic personal information (NPPI). Regulators will treat you much better if you do, at least according to members of the panel.

The first thing you need to do is conduct a risk assessment to identify what KPMG’s Buffamonte called your organization’s “crown jewels” — for dealers, it’s all that NPPI you collect. You also need to gather as much threat intelligence as you can, which associations like the NADA can help with.

In addition, your policy manual needs to address how you intend to notify regulators and your customers if there is a breach. “Reach out to regulators before they reach out to you,” Miller warned. “It’ll make a difference in how they’re going to treat you. But do it at the same time you’re ready to go public.”

But before going public, Proskauer Rose’s Mathews recommended first shoring up the vulnerability. “If you don’t, the initial message will likely have inaccuracies,” she said.

That’s what happened to TJ Maxx when it experienced a breach in December 2006. The company went public a month later. Unfortunately, when the communications officer responded to a question about the size of the breach, she said the number of records compromised was less than one million. “Three months later, it was discovered the breach may have compromised 40 million records,” Mathews said.

And when that happens, the scrutiny intensifies.

Finally, as TFS’s Fernando noted, “[Cybersecurity is] not a technology problem, not the office’s problem; it’s everyone’s problem.” In other words, those phishing emails that land in your inbox represent a real threat, as you’ll read in this month’s cover story.