James Ganther and Gil Van Over have seen the damage a lack of compliance preparation can bring to dealers.

James Ganther and Gil Van Over have seen the damage a lack of compliance preparation can bring to dealers.

Attorney Jim Ganther and automotive industry compliance expert Gil Van Over, whose companies recently merged to form Mosaic Audit Services, joined forces at Bobit Dealer Group’s recent Industry Summit to outline hot dealership legal issues.

All half-dozen cases they outlined for illustration purposes shared common themes that dealers can apply to their businesses to protect themselves from potentially career- and wallet-damaging effects.

Appropriately, they started their talk with a cautionary tale.

The case they highlighted, though more than a decade old, has current implications, as the Federal Trade Commission is primed to pursue businesses that run afoul of its Safeguards Rule, designed to protect consumers’ personal information.

As Ganther put it, the rule has 18 requirements that can “trip you up.”

He put the big picture of the rule in a neat package: “The FTC doesn’t have the resources to monitor all businesses, so it created an incentive for plaintiffs’ attorneys to do the work for them.”

Some attorneys took up the rule along with the FTC Privacy Rule in a case against Franklin Toyota-Scion in Georgia, suing the business for failing to protect consumers’ data and for violating its promise to do so. The information was compromised through peer-to-peer file-sharing software on a computer connected to the dealership’s network. The data breach happened in 2008, and the consent order ending the case was filed in 2012.

“If you violate the Safeguards Rule, you’re breaking a written promise you give every single customer,” Ganther said. “That’s a deceptive trade practice, and because it affected virtually every dealership customer, it supports a class action.”

The FTC considers that a violation of the Safeguards Rule is also a violation of the Privacy Rule, and vice versa, he said, and that’s a “bulletproof class-action lawsuit.”

As the law requires, the dealership, when accepting nonpublic information from consumers in order to do business with them, represented itself via its privacy policy notice as taking reasonable measures to protect that information. When it failed to do so, it essentially misled consumers, as far as the law’s concerned, Ganther said.

“It used to be reasonable, but now it’s binary. You either protect that data or you don’t.”

So it’s a violation dealerships definitely want to avoid.

Digital Hygiene

Ganther and Van Over next reviewed a best-practices case, also a data-breach gone legal, and also by a certified class. The dealership in question here, though, made all the right moves and therefore exited the class-action relatively unscathed.

On the weekend of July the Fourth 2021, a malware attack infected the computer network of a dealer group based in northern Virginia, locking down its data silos for ransom.

Here, Ganther disclosed that the dealership is a client of his and described it as well-run and ethical.

“They detected the breach in less than five minutes, shut down the breach in less than 30 minutes, and immediately contacted their lawyers. A forensics team determined how many customers were affected,” Ganther said. “No data left the dealership’s computers.”

Still, consumers sued two weeks after Koons notified them of the incident, saying it hadn’t taken reasonable measures to protect their information and didn’t notify them of the breach quickly enough.

The dealership, without admitting any wrongdoing, agreed to a settlement, which was finalized in nine months, Ganther said.

“Nine months is usually the gestation period,” Van Over quipped.

The dealership had followed the letter of the Safeguards Rule conscientiously, Ganther said. It contacted every potentially effected customer, more than 16,000 in all, offered them a year of identity protection, web monitoring and dark-web monitoring.

The class accused the dealership of negligence, breach of an implied contract, unjust enrichment – Van Over said those sound like “cookie-cutter” claims – and negligence per se, which brings enhanced damage awards. But there were no allegations of a deceptive trade practice, as in the Franklin case.

“You’re not allowed to file a claim unless you believe something happened,” Ganther said. “Here, the plaintiffs could not. The dealership did everything perfectly.”

Punitive damages weren’t permitted, so the attorneys undoubtedly wished they hadn’t taken the case, he said. “If you can’t get those punies, you drop it like a hot potato.”

The dealership sold this year for $1.2 billion; it likely would’ve brought less than $1 billion if the case had still been pending and the facts less favorable, Ganther said. “Having good digital hygiene probably gave another $250 million for this transaction … Compliance pays.”

Those Nasty Addendums

Next up, Ganther and Van Over discussed a case settled just last year that they said damaged an industry brand’s reputation. This time, the FTC and the state of Illinois sued Ed Napleton Auto Group.

The lawsuit accused the group of including what it termed “junk” add-on products in deals without disclosing them and charging black customers higher fees and interest than other customers for the add-ons, said Van Over, who said he disagrees with the “junk” conclusion about products such as etching for vehicle security.

Though the experts debated the merits of the case, their take-homes for the audience of course centered on how to avoid a record-setting $10 million judgment of the type Napleton swallowed.

Van Over advised: “If you’re going to have addendums, make sure they’re disclosed as early in the sales process as you can.”

The addendum should list the products as options, and if a consumer doesn’t want them, they must be removed from the contract.

The Evils of Markup

Another discrimination case, though Ganther characterized it as a “shakedown” that was “wrongly decided,” is nevertheless a good template for dealers to prevent being on the losing side of a similar one, he said.

American Honda Finance Corp. was accused by the Consumer Financial Protection Bureau of discrimination in 2015 by allowing dealer markup, which Ganther said is how capitalism works: Buy at wholesale, and sell at retail.

The federal agency called the case theory groundbreaking, Ganther said. “No one had ever sued someone over an alleged bad act by another.”

American Honda settled and paid $24 million in restitution and agreed to change its pricing and compensation system to minimize risk of discrimination.

Ganther likened the case to “government blackmail,” and said, “Those who think the federal government is here to help you, please think again.”

He said the consent order settling the case didn’t say that uniform markups are required but described a permitted range of up to 125 basis points for up to a 60-month term and 100 basis points for terms beyond 60 months.

Considering that dealers’ goal is to sell cars “with a minimum amount of friction,” Ganther advised they build a policy around the consent order, because it’s fairly recent and allows flexibility.

“You don’t have to do all the paperwork and the auditing. It’s much more livable than having to explain every markup deviation of a single basis point.”

He said dealers could even stretch beyond the order’s parameters because of increased interest rates in today’s market, but to “check with your local council first.”

Disclose, Already

In a deceptive practices case settled for $558,000 last July that in many respects mirrored Napleton’s, Grieco Automotive Group in Rhode Island was accused by the state attorney general of stuffing products.

The AG’s office alleged buyers found late in the purchase process that they were being charged with add-on products that hadn’t been disclosed to them earlier, Van Over said. Others complained they had no chance to have the items removed, while some said they were also told that buying finance-and-insurance products was mandatory.

Van Over said he and Ganther advise dealers to train F&I sales staff in order to prevent such lawsuits, the likes of which will cost Grieco a lot out of pocket because its insurer won’t pay.

Van Over offered the solution for dealers seeking to learn from the Grieco case: “You’ve got to disclose the add-ons. If the customer doesn’t want it, take it off.”

Dialing Back

Lastly, the compliance duo reviewed the 2023 case of Ohio Mega Group, pursued by the state attorney general for rolling back odometers, a crime that can come with jail time, it being a federal offense. The group agreed to settle.

“When we audit deals, we try to make sure to check the mileage,” Van Over said.

He said that among the other allegations against the auto group was a failure to file title applications within 30 days of delivery. “How is that still a problem in the modern world?” he said. “Why are dealers consistently missing a 30-day window with something they can get in 30 seconds?”


Ganther and Van Over emphasized overall preventative measures dealers can employ to avoid running afoul of the law:

  • Strike a consistent tone from the top.
  • Conduct a risk assessment.
  • Establish written policies with repeatable, verifiable processes.
  • Add a compliance-management system if one isn’t already in place.
  • Train employees on the policies, keeping records of completions.
  • Conduct regular reviews and audits.
  • Demonstrate that the business has corrective actions in place.
  • Dismiss any staff you verify have forged a signature.
  • Retain a lawyer to review your advertising.

Van Over said he once conducted a finance-and-insurance compliance training for Fox Motors in Michigan. “Dan DeVos (chairman and CEO) was in the front seat in every session. That tone from the top spoke volumes.”


Hannah Mitchell is executive editor of Auto Dealer Today. A former daily newspaper journalist, her first car was a hand-me-down Chevrolet Nova.


Ganther added, “What you tolerate, you encourage.”

Originally posted on Auto Dealer Today