Dealer Program Policies

II. Additional Operational Policies

  • F. Cybersecurity Standards

    Dealers should implement the following security best practices as is commercially reasonable under the circumstances and in accordance with all applicable laws and regulations:

    1. Data Handling and Privacy:
      1. Dealers should specify how customer data should be collected, stored, and transmitted securely.
      2. Dealers must obtain explicit consent for collecting and using customer data.
      3. Dealers should implement appropriate technical safeguards with respect to customer passwords and system remote access information. For example, Dealers should not store customer passwords together in unsecured lists, files, or repositories.
      4. Dealers should adhere to all applicable data protection laws, such as GDPR, CCPA, HIPAA, etc., depending on the nature of the data they handle.
    2. Access Control:
      1. Dealers should define who has access to customer data and restrict it to authorized personnel only.
      2. Dealers should implement strong password policies and multi-factor authentication.
      3. Dealers should perform routine access reviews and promptly offboard employees who have ceased employment.
    3. Network Security:
      1. Require firewalls, intrusion detection systems, and encryption protocols to protect data in transit.
      2. Dealers should regularly update and patch their network infrastructure and software.
    4. Incident Response:
      1. Dealers must have a documented incident response plan to promptly address data breaches or security incidents.
      2. Dealers must promptly communicate security incidents, data breaches, or significant security events to the Company.
    5. Training and Awareness:
      1. Dealers should provide cybersecurity training to their employees to educate them on best practices and potential threats.
      2. Ensure that employees are aware of social engineering techniques and phishing attempts.
      3. Dealers should install products with security best practices implemented to protect customers.
    6. Vendor Management:
      1. Dealers should assess the cybersecurity posture of their third-party vendors and ensure they meet your security standards.
      2. Dealers should have contractual agreements with their vendors to enforce security requirements.
    7. Regular Audits and Assessments:
      1. The Company reserves the right to conduct periodic security assessments or audits of authorized dealers to ensure compliance with the Company’s cybersecurity standards.
      2. Non-compliance could include potential termination of the dealer agreement.
    8. Legal and Regulatory Compliance:
      1. Dealers should comply with all relevant laws, regulations, and industry standards related to cybersecurity.
    9. Security Updates and Patch Management:
      1. Dealers should promptly apply security updates, patches, and fixes to their systems and software to address vulnerabilities.

The Company shall not be responsible for any losses arising due to Dealer’s failure to follow these obligations.

Version: January 16, 2024