When you think about it, automobile dealerships can have a lot of very detailed and private information about you. For example, when you buy a car, the dealer may collect your identity and location information (name, address, telephone number, email address and even information about family members and pets). If you finance the vehicle through them, they also may collect a great deal of financial information about you (Social Security Number, credit history, bank(s) you use, account numbers and credit rating). And, of course, they have detailed information about at least one of your vehicles such as make, model, accessories, vehicle identification numbers, etc. All of this information is very desirable to cyber-criminals and hackers.
Not only do auto dealerships have a lot of your private information, the nature of the business gives online and on-site attackers numerous opportunities to access and compromise this information. Employees and customers move about a great deal in automobile dealerships often leaving their work areas unattended. There are numerous workstations around a dealership from the parts department to the service department to the finance department to the sales departments. If users share their passwords with fellow employees for convenience sake or leave their computers active when they are away from them, compromise of private information is made easy. In addition, auto dealership networks are usually connected to numerous service providers, partners and information systems. If these systems are compromised, then compromise of the dealership system could soon ensue. There are also liable to be paper documents containing private information that could be left exposed on desks or in unlocked drawers.
Luckily, auto dealerships that extend credit to someone, arrange for someone to finance or lease a car for personal, family or household use, or that provide financial advice or counseling to individuals are identified as financial institutions and are regulated by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act of 1999 (GLBA). These businesses therefore are required to comply with the FTC Privacy Rule and the FTC Safeguards Rule. Auto dealerships may also be subject to state or local ordinance, or some private regulatory body such as the PCI DSS. This is a good thing for the consumer.
Under the FTC Privacy Rule, dealerships are required to protect private customer financial information, and are required to provide customers with a number of written notices detailing their rights under the Privacy Rule. Under the FTC Safeguards Rule, dealerships must protect physical, paper and electronic customer information. They are also required to have an information security program designed to protect the confidentiality, integrity and availability of private customer information. Since dealerships are considered to be financial institutions, these security requirements are much the same as those your bank must adhere to. There are fines in place for failure to comply with these regulations, and lawsuits may also be filed against dealerships that fail to adequately protect your private information.
Although these regulations don’t guarantee your private information won’t be compromised, they do put a big roadblock in the path of information thieves. Plus, auto dealers know that 84% of those surveyed said they wouldn’t do business with a dealership that has had a customer data breach incident. That surely helps inspire dealers to take information security seriously.