Consumer data privacy concerns are constantly in the news. Growing pressure on lawmakers to do something has resulted in a wave of new consumer privacy legislation being passed in many states.

California has passed the California Consumer Privacy Act (CCPA). A similar law is expected to soon pass in Washington state. Alabama, Louisiana, Colorado, Nebraska, Massachusetts and Ohio have recently added new data security standards to their data breach notification laws. You can bet that other states will follow suit.

These laws require that businesses take “reasonable measures” to secure consumers' personal information, such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The definition of "reasonable measures" varies from state to state, but all of these laws highlight the importance of protecting your customer data. For most dealerships, becoming compliant with these laws is likely going to require upgrades to software, hardware and data security equipment, as well as the implementation of new policies and procedures.

Recently, the California Attorney General defined “reasonable measures" as compliance with 20 controls established by the Center for Internet Security. In a nutshell, if your dealership is located in California, you'll be responsible for the following:

1) Inventory and control of hardware assets

2) Inventory and control of software assets

3) Continuous vulnerability management

4) Controlled use of administrative privileges

5) Secure configuration for hardware and software on mobile devices, laptops, workstations and servers

6) Maintenance, monitoring and analysis of audit logs

7) Email and web browser protections

8) Malware defenses

9) Limitation and control of network ports, protocols and services

10) Data recovery capabilities

11) Secure configuration for network devices such as firewalls, routers and switches

12) Boundary defense

13) Data protection; encryption, integrity protection and data loss prevention techniques

14) Controlled access to data based on the need to know

15) Wireless access control

16) Account monitoring and control

17) Implement a security awareness and training program

18) Manage the security life cycle of all web-based or application software

19) Develop and implement an incident response infrastructure and management plan

20) Penetration tests and red team exercises to test strength of defense

Is your dealership taking all of these "reasonable measures" to protect your data from the threat of cyberattacks? If not, you might be subject to fines from your state attorney general's office and/or litigation from consumers.

When it comes to protecting consumer data, dealers can no longer afford to do business as usual. If your state hasn't already updated its data breach notification law or passed a consumer privacy law, it soon will. It's up to every dealer to learn what their state's data security requirements are, and proactively take steps to become compliant.