As agricultural products and services have become more technologically oriented in the past decade, customers’ expectations and concerns about privacy and data security have also evolved. This issue is not unique to equipment dealerships, says Lance Formwalt, an attorney with Siegfried Bingham law firm in Kansas City, Mo., but it’s one that requires diligent attention and proactive changes.

“Whether you’re talking about yield data or social security numbers, customers are sensitive to information that’s identifiable to them,” Formwalt says. “In addition to the customer data, you’ve got your own data which you want to try to protect. You’ve also got employee data that you’re stewards of, and you have obligations to protect that as well.”

According to Formwalt, it’s crucial that dealers identify their obligations in regard to managing data in their possession. An important aspect of that data management is addressing government regulations and staying up to date on any changes.

“There’s a sea change in the United States — it’s starting to move toward the regulatory environment that’s been going on in other parts of the world for quite a while,” Formwalt says. “If someone gets into your system and gets access to that data, there are legal requirements for you to report that to the government in some cases, or to notify customers.”

---

“Start to think about data security today, and then you’ll be in a better position to adapt to changes down the road. The time to act is now…” –Lance Formwalt

---

John Fuchs, another attorney with Siegfried Bingham, notes that all 50 states have passed a data breach notification law. However, at this point those laws usually only apply to specific types of personal data, Fuchs says, such as social security numbers, credit card numbers and certain types of health data.

These laws pertain to “what I tend to think of as fairly sensitive data that, if somebody were to breach it and get access to it, people would really like to know,” he says. “If you have what’s defined as a breach, you’re required to notify your customers.”

The timeframe in which customers must be notified differs from state to state, as does the criteria for notifying the state attorney general. However, Fuchs notes regardless of whether a data breach incident occurs in a state with laws that are more comprehensive, the error will be costly.

“The cost of a breach is fairly significant,” Fuchs says. “You’re better off trying to proactively limit the risks of a breach, rather than being reactive to it.”

Formwalt agrees.

“There can be a lot of dollars involved, and you may have to fight between multiple parties to get reimbursed,” he says. “This is a real issue that can have significant costs to businesses.”

Ransomware Can Have Devastating Consequences

Sometimes those costs don’t involve the legal system, but instead come in the form of the demand for a ransom payment to a hacker who has tunneled into a business’s data management system and locked the files, says Dave Stamm, CEO of Stamm Technologies, a technology consulting, computer support and IT services firm based in Milwaukee, Wis. 

“With ransomware, the bad guys lock up all your data and ask you to pay them a ransom in order to get a password that will unlock the files,” Stamm says. “You pay the ransom and, in theory, the bad guy sends you the decryption key. You enter that key and get all your stuff back.”

According to Stamm, ransoms can be anywhere from $1,000 to $20 million.

“Businesses are spending $75 million or more a year on this type of stuff,” Stamm says. “The average recovery payment is $141,000. That’s a scary number, and that’s why we care about this.”

Stamm says the criminals who send out ransomware tend to send it out en masse, with no real agenda for where it lands. That means it’s just as likely to infect and encrypt the data collected by a dealership as it is to lock up the data on someone’s home computer.

“Once you are hit with this, you really have two things you can do — you either have to restore everything you have from backup, or you pay the ransom,” Stamm says. “That’s it. Great backups are really the key, and awareness — when you’re reading your emails and you’re just not sure if it’s safe, pause to say, ‘I better not open this.’ 

“If for some reason you have any concern that you opened something that might have infected your files, turn off the computer and seek help. The first thing ransomware does is encrypts your computer, then it spreads to the network. It looks at everything it can see — the servers and everything else — and it starts locking up everything. But it does it in a specific order. So, if you turn it off quickly, it’s likely that it’s only infected you and not everybody else.”

Proactive Risk Management Pays Off

It’s important for dealers to think about what they can do to manage the risk involved with housing so much personal data, Formwalt says. One important element of that risk management will likely be some form of data breach insurance protection. However, Formwalt cautions dealers to carefully examine coverage options and the costs associated with them, as well as to take a hard look at how much that insurance policy is going to help in the event of a data breach.

“Insurers are getting a lot more particular about who they are going to issue these policies to,” Formwalt says. “They are absolutely paying attention to what you are doing in your business to actually secure your data. There’s no get out of jail free card anymore, with respect to these insurance policies.”

Formwalt also notes that the insurance options available are extremely customized, and there will likely be exclusions for different customer bases. Additionally, he says a lot of policies now exclude fines and penalties.

“Insurance is certainly an important part of your plan,” Formwalt says. “But it’s going to require you to focus on getting your own house in order in terms of how you manage data in your business. More and more of these laws are requiring you to have a privacy policy, and your customers and manufacturers have really started to expect that.”

Formwalt says most dealers are legally obligated to have a privacy policy in place. According to him, that policy should address all the data collected by a dealership — not just the data collected through the website.

“Take an inventory of what you have in place today, and look at whether you need to make some changes there,” Formwalt says. “The other component of this that’s really critical is for dealerships to really take a look at their data security program.”

Comprehensive Data Security Plans Protect Everyone

A data security program isn’t just important because it’s something customers are asking for — Formwalt and Fuchs say it’s important because of the legal obligations involved, as well as the financial penalties that may arise if proper protocols aren’t in place and adhered to.

“Do not sit on this thing,” Formwalt says. “This is a building block kind of scenario. Start to think about data security today, and then you’ll be in a better position to adapt to changes down the road. The time to act is now. It’s going to have an impact on your insurance premiums as well. So to the extent you want to rely on both, you need to take some action.”

Dealers that are just beginning to create a data security plan should start by taking inventory of everything the data collects, Fuchs says.

“Take an inventory of the types of data and how they come in, as well as a full inventory of what systems they go into,” Fuchs says. “Also note where they are physically located or who has control of them.”

Formwalt suggests that dealers who are overwhelmed by this process consider hiring an outside consultant to assist, as well as seek out existing materials that can help dealers wrap their heads around all the data involved in their business.