Is Your Email a Security and Compliance Risk

Email is central to almost every element of the business process for dealers, which includes credit applications and financing. However, should it be? 

While email is familiar and easy to your team, it is littered with risks and poor security protections. This is true of many communications but is particularly dangerous when it comes to financial matters. 

According to TechRepublic, more than 1.5 billion users have personal information stolen due to cyberattacks in 2021. Two of the biggest causes of this stolen information were unauthorized network access and unsecured servers/databases, which are directly tied to email access and transmission. 

Managing any credit application or financing via email is an inefficient and high-risk practice, and it is about to become much worse when new federal regulations take effect in December that increases the regulations that dealers must meet to handle customers’ financial information.

Why Is Email So Risky?

One of the reasons email is so risky is that it is such an integral part of day-to-day business. There is literally no part of a business that doesn’t use email, and it is considered the most common way to transfer information and documents. Because it is so common, your team may give little consideration that not all information or documents are suitable for email transmission.

The fact is that any email sent from your dealership, whether it's an attachment or just in the text body of the emailt, is at risk on some level. An email travels a path littered with security gaps that can put sensitive information at risk of theft by cybercriminals or even accidental transmission to inappropriate parties.

The Journey of An Email

It may surprise some dealers that sending an email is not a straightforward process. An email is not going from point A (the sender) to point B (the recipient).

  1. Email sent from your device (whether it’s a desktop, tablet, phone, etc.) connects to your company server. For most companies, this is a lower ris, but it does require constant vigilance on who has access to these email accounts and servers. 
  2. Once the email is sent, it passes through multiple servers until it reaches the sender’s company server. This is the highest risk portion of the email transmission. The most troubling part of this stage is that both the sender has little insight or control over whether the information in an email is being protected.
  3. In addition to traveling through multiple servers, the email must still move from a server to a computer or a mobile device. Depending on the internet connection or the wifi network, this step can leave many devices unprotected where even the most amateur hacker could potentially capture customers' financial information.

The Limitations of Encryption

Many companies take the step to encrypt email or email attachments. Encryption is an application that disguises or hides the body of an email message from anyone other than the sender and the reader, and hopefully protects sensitive information.

While this seems like a good safeguard, its actual impact can be pretty limited. Per the University of Buffalo (UB), encryption is only effective if both the sender and the receiver have set up encryption. It is highly unlikely that a dealer would press a customer or a lender on their encryption standards during a credit application and financing process.

As far as attachments, they can be a bit easier to be encrypted, but attachments are often deleted by mail systems because their contents cannot be scanned for safe delivery through their systems.

“Email by default is not and was never intended to be a secure mechanism for sending sensitive data,” Catherine J. Ullman, Senior Information Security Analyst for UB, said. “Although you need credentials to log in and access the email in your mailbox, email is by default sent from server to server in clear text that can be read by anyone while in transit.”

New Regulations Raise the Stakes

While there are already plenty of risks in using email to manage your customer credit and financial information, it is about to become much more important. As of Dec. 9, 2022, most dealerships will be expected to be compliant with new federal regulations for managing and protecting customers’ financing information.

The Federal Trade Commission (FTC) updated the Standards for Safeguarding Customer Information rule under the Gramm-Leach-Bliley Act (GLBA) to mandate improvements in how dealers are protecting customer information. 

Unlike the earlier rule, the updated regulation lays out specific criteria for what financial institutions - which includes dealers – must implement as part of their information security program. This gives federal regulators very specific requirements to measure a dealer's compliance. Not meeting these requirements could result in a compliance audit by regulators, fines of $46,000 per violation, and the loss of customer confidence once the word gets out.

How to Transfer Financial Information

Rather than email or a mix of paper and digital, compliance best practices are increasingly encouraging the use of more sophisticated digital solutions. 

Ideally, the dealers can directly capture data from a customer on a secure and encrypted platform which is directly integrated into a lender solution. While also providing a fast and easier credit application process, it is also the most compliant and secure. 

To meet the new compliance requirements, dealers will also need a credit and financing solution that ensures all customer information is encrypted, provides for multi factor authentication, allows for the dealer to monitor access to customer information, and creates a manageable process to dispose of customer information. 

Above all else, dealers must prioritize security and compliance. The new regulations require dealers to designate someone to oversee and be responsible for safeguarding customer information, but moreover, it requires dealers to change their mindset. 

For far too long, dealers have accepted the status quo and continued their day-to-day business with the same high-risk behaviors, whether it is email or paper-based. The time has come for that mindset to change.





Still, have questions about the DCR and compliance?  Call Chris Martin at  (714) 689-9562 or use his calendar to schedule a meeting.