By Alysha Webb, Editor and Publisher
Ally Financial just announced a partnership with Clearlane, which facilitates online vehicle financing. Ford Motor Credit has partnered with AutoFi to allow shoppers to purchase a vehicle straight from a dealership’s website. Online buying isn’t coming, it has arrived.
As more of the car purchase experience moves online, dealers will face rising demands on their IT safety plans. In the online sales world, IT safety compliance should be a growing focus of dealerships. Otherwise, the penalties can be severe.
“Most car dealers have never done anything to secure their network,” Max Zanan, founder and CEO of Total Dealer Compliance, tells Automotive Buy Sell Report. “If hackers can hack the government, they can definitely hack a dealership.”
In a buy sell, making sure a culture of compliance exists at a dealership is crucial, says TDC’s Zanan.
“A lot of times, you see a total disconnect between what the management thinks the culture is and what it really is,” says Zanan.
Identity theft and IT security will be huge issues in compliance going forward, he says. A dealer must notify customers if a dealership IT network has been breached. The dealership’s reputation is at stake, says Zanan.
“You may not be impacted, but I am pretty sure you are not going to go back to the dealership and buy a car there,” he says.
Total Dealer Compliance, or TDC, offers compliance auditing and training, including a new online ELearning platform. It has compliance checklists for every department. The IT checklist includes items such as requiring employees to log off when they use a computer, disabling USB drives to prevent illegal downloads, and obtaining cyber theft insurance.
Dealers should also wipe all information from devices such as printers, which also retain information, says Zanan. “Most dealers only think of paper” when they think of eliminating customers’ personal information, he says.
A huge amount of information is stored in the Dealer Management System. Dealers may believe that the DMS provider is responsible for securing that information, but dealers themselves also have responsibility, says Sally Lopez, director of information technology, dealer services, at CPA firm Rosenfield & Co.
As more information is stored in the cloud rather than on the dealership premises, safety responsibility becomes grey, depending on who is responsible for maintaining the dealership’s IT structure, she tells Automotive Buy Sell Report.
“Anything with the DMS vendors is never clear,” says Lopez.
Vendors are increasingly making dealerships responsible for their own IT networks, she adds. “It is never black and white.”
Third parties are also suing DMS providers CDK and Reynolds & Reynolds to gain access to DMS data. If that suit succeeds, having a good safety system at the dealership level will become even more important, says Lopez.
“It is going to be up to the dealership. It is their data [and] they have responsibility for it,” she says. “They need to make sure they and their vendors are doing their job.”
Regardless of where the data is stored, there will always be some data the dealerships are responsible for protecting, says Kynzie Sims, legal content product manager at Compli, which assists companies in organizing compliance activities.
Compli offers an online training platform of courses that keeps track of what training employees have completed, and awards certifications, she says.
Not protecting customer data can be costly. The FTC’s Disposal Rule currently fines $2,500 for each violation, says Sims. And the Gramm-Leach-Bliley Act mandating that financial institutions must protect consumer information has civil penalties up to $10,000 for offers and directors of businesses found to be non-compliant.
Workforce education the key
Dealerships should have an IT professional on staff, or contract with a third party, says Sims. But no matter how much money a dealership spends trying to secure its IT systems, “there is always going to be room for improvement,” she says. IT standards change frequently and technology evolves.
The most important hedge against IT dangers is workforce education, says Sims.
“You can have the most high-tech security on your servers, but it is your employees that are ultimately going to provide the best security through how they use the system,” she says. “The entire team needs to be aligned to the goals of maintaining safety.”