Technology may be driving dealership innovation, but it’s also raising questions about dealer risks and liabilities when outside vendors are allowed access to a dealership’s sensitive data. For many, the National Automobile Dealers Association (NADA)’s annual convention represents a chance for dealerships to explore new tools that can help with efficiency and profitability. But what happens when that new system allows for unauthorized access, and your customer data suddenly appears on a public Web site? That’s a question that state and federal consumer-protection laws will have no trouble answering.
The 2007 NADA Convention featured more than 50 companies offering innovative products and services to help dealers increase product penetration, improve control over the selling process, or reduce contracts in transit. Implementing these products can deliver tangible benefits, but not without risk. The key is to recognize and protect against the risks while capitalizing on the opportunities.
State and Federal Laws Protect Consumer Information
At the Federal level, the Gramm-Leach-Bliley Act created two key rules that dealers must comply with: The Privacy Rule and The Safeguards Rule. The Privacy Rule not only requires that dealers provide their customers with notices explaining their dealership’s information-sharing practices, but it also mandates that dealers allow their customers to opt-out where appropriate. The Safeguards Rule mandates that dealers develop and adhere to a written security program. It also requires that dealers ensure that all vendors are capable of protecting the data the dealer provides.
Various states have also enacted legislation that provide for further protection of personal information. For example, dealerships in California are required to notify their customers when a breach of data security occurs, and that their sensitive data may have been accessed by an unauthorized individual. Other states have enacted similar or stricter legislation.
Control and Innovation
Having the right computer system and services can really make a difference when it comes to the success of an F&I department. And like F&I managers, the right computer system must strike the right balance between control, innovation and creativity. What’s important to note is that a dealer must have the ability to select the right set of vendor partners, vendors that can provide services that increase sales, profitability, control and customer satisfaction. However, it is unlikely that one vendor alone can satisfy all of these requirements, as some of these services will almost certainly come from vendors other than the one providing the dealership’s dealer management system (DMS).
With that said, that new product you saw at the NADA Convention will either integrate with, or extract data from your current DMS. This means that data will flow from the DMS to a third-party system and back. This also means that a dealer becomes liable once that data flow reaches outside the dealership’s walls, as they face the risk that an unauthorized person might gain access to this sensitive data.
What should a dealer do?
Dealers must choose their partners carefully. Under the Safeguards Rule, dealers are obligated to choose service providers that are capable of maintaining appropriate safeguards, a requirement that must also be stated in the vendor contract.
Once a service provider is selected, there are a few additional steps a dealer can take to reduce risk, such as providing access to only the data the system provider requires. If the partner requires a user-ID and password to get into your DMS, use your system’s security feature to limit what the vendor accesses. Never give vendors system-wide or administrator rights.
It’s also important to audit what’s accessed and what’s extracted regularly. At a minimum, a dealer should perform the audit annually. Many DMS companies have tools to help perform these audits.
Remember, there are progressive DMS providers out there supporting dealers in their efforts to work with other suppliers, which is why it’s important that dealers select a DMS provider that will support a robust set of system tools inside one’s dealership. Here are a couple of questions you can pose to a potential DMS provider:
1. Can the dealer select any vendor partner, or is the dealer limited to only a pre-selected list chosen by the DMS company?
2. What fees are charged for integration, either directly by the DMS provider to the dealer, or by the DMS company to the dealer-selected, non-DMS service provider?
3. Is the dealer contractually allowed to give service providers access to the DMS? Some DMS providers limit access to only dealership employees and approved partners.
4. Does the DMS company have the right to resell dealer data, either at a transaction level or in an aggregated form?
Dealers now have access to a variety of innovative products and services to increase efficiency and profitability inside the dealership. By taking the right steps at the outset and monitoring system activity, dealers can capitalize on these opportunities and provide a secure environment for the protection of sensitive consumer information.
Allan Stejskal is currently the president of Open Secure Access Inc., a broad coalition of automotive retail dealers, and software and service providers. E-mail Allan at [email protected]