With alarming frequency, we hear news of the latest data breach or privacy intrusion involving customer information. Indeed, as this article was going to print, reports surfaced of an OEM’s circulated memorandum to its franchised dealers advising them of a vendor data breach potentially affecting more than a reported 3.3 million customers and prospective car buyers1, causing the industry to once again take inventory of data security and privacy issues.
According to the reports, along with public statements issued by the OEM, customer information was ostensibly collected for sales and marketing purposes by the OEM’s vendor and allegedly held in an unsecured electronic file which was compromised, impacting customers’ sensitive information related to vehicle purchases, loans and leases. Additionally, while the details of the breach are still developing, it’s been further reported that dealers that use a specific lead management program offered through the vendor may also be impacted. The OEM preliminarily reported that the customers’ potentially compromised data consisted of driver’s license numbers, and in some instances, dates of birth, Social Security numbers and account numbers, as well as email addresses and telephone numbers. So, what does this mean besides the possibility of litigation, potential liability, regulatory scrutiny and investigation and unsettled or unhappy customers?
The most recent data breach incident is yet another reminder to dealers of the significance of the need to regularly evaluate the data security components of both existing and prospective vendor contracts and agreements. Customers’ privacy and their assurance of its security when doing business with your dealership is not only important to your dealership’s goodwill and reputation in the retail community, it’s also the dealership’s legal obligation.
Even prior to this most recent OEM vendor security breach incident, the privacy and security of customer information has been and continues to be a primary focus of federal and state regulatory enforcement activity. In one of its recent consumer protection enforcement cases relating to breach of data security, the Federal Trade Commission (FTC) charged Ascension Data & Analytics, LLC2 with violations of the FTC’s Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, and the Gramm-Leach-Bliley (“GLB”) Act, 15 U.S.C. § 6801 et seq., by failing to properly vet and oversee protection of customer information placed in the cloud-based storage system by its vendor. The alleged breach resulted in over 60,000 customers’ private, personal information being exposed (i.e., names, dates of birth, Social Security numbers, loan information, etc.), and the FTC sought to hold the mortgage data analytics company responsible for the breach of its hired vendor in failing to develop, implement and maintain a comprehensive information security program in contravention of the Safeguards Rule. The Safeguards Rule requires that third-party service providers also be mandated to protect the security of customers’ personal information. Parenthetically, in the most recent security breach incident involving the OEM and its vendor, the OEM advised its dealers that it has informed the appropriate law enforcement authorities and is working with cybersecurity professionals to assess the scope of the problem.
Importantly, the privacy and security consumer protection laws cited above also apply to auto dealers, which is one reason the most recent OEM vendor data security breach should serve as a reminder to all auto dealers to ensure they and their vendors have comprehensive programs in place for the protection and security of customer information. This includes but is not limited to: (i) ensuring any potential third-party service provider has developed, implemented and maintains a comprehensive information security program before the dealer enters into a business relationship with that vendor; (ii) requiring contractually that all third-party vendors comply with applicable federal and state statutory and regulatory requirements and prescribing contractually such vendors’ responsibility for compliance and for ensuring the security of customer information pursuant to the Safeguards Rule and related federal and state law requirements, including listing the safeguards vendors must have in place and follow; and (iii) continuously monitoring third-party service vendors’ compliance with applicable federal and state laws and adherence to the contractual requirements through the dealership’s establishment and implementation of an audit program to effectively monitor the vendors’ practices.
Protection of customer data and ensuring your third-party service providers do the same is not only vital to your business, it is also your legal obligation. Ensure your data security programs and those of your vendors are in place, implemented and strictly monitored. Dealerships’ compliance with their legal obligations, including ensuring compliance by their third-party vendors, will serve to protect the security of customer data and preserve the dealership’s goodwill and business success.
1 Vellequette, Larry P., “Vendor Linked to VW Data Breach Named in Memo to Dealers”, Automotive News, June 11, 2021.
2 See In the Matter of ASCENSION DATA & ANALYTICS, LLC, https://www.ftc.gov/enforcement/cases-proceedings/192-3126/ascension-data-analytics-llc-matter.
Julie A. Cardosi is an attorney and president of the private firm, Law Office of Julie A. Cardosi, P.C., of Springfield, Illinois. She has practiced law for 35 years and represents the business interests of franchised new vehicle dealers. Formerly in-house legal counsel for IADA, she concentrates her practice in the areas of mergers and acquisitions and other transfers of dealer ownership, franchise law, commercial law, state and federal regulatory compliance matters, including employment and other areas impacting day-to-day dealership business operations. She has also served as former Illinois Assistant Attorney General and Deputy Chief of the Consumer Fraud Bureau of the Attorney General’s Office. The material discussed in this article is for general information only and is not intended as legal advice and should not be acted upon as such. Dealers should consult their own private legal counsel for application to their specific circumstances. For more information, Julie can be reached at email@example.com, or at 217-787-9782, ext. 1.