Dealers to states: Let us control data

In January 2018, North Carolina Auto Dealers Association President Robert Glaser predicted a battle over dealership management system data would be waged at the state level. In at least five states, the fight has begun.

In Montana, Arizona and Oregon, dealers scored a win by lobbying their state legislatures to pass laws this year giving them control over data stored in a DMS while also preventing the software providers from charging a fee to third parties. A related law was enacted in Hawaii last year, and similar legislation has been introduced in North Carolina. The dealer push is not expected to stop there.

"It's going to go across the country," said Bruce Knudsen, executive vice president of the Montana Automobile Dealers Association. "The most important thing for dealers is to [be able to] control your own data."

As technology to collect and store consumer data has evolved, dealerships increasingly rely on interconnected, third-party-provided systems to store it.

Large DMS companies such as CDK Global and Reynolds and Reynolds, as well as some privacy experts, say this potentially leaves sensitive data susceptible to hacking if that data is not adequately protected. They oppose the dealers' legislative push. Dealers, however, argue they can protect their own data and simply need more control over it.

While data security is being tackled at the state level, it's a long-standing concern of the National Automobile Dealers Association.

Jared Allen, vice president of communications at NADA, said the association is supporting its members in the fight.

"We anticipate additional state activity beyond those bills that have already been introduced," Allen told Automotive News in an email. "NADA will continue to provide technical assistance and expertise where appropriate to supplement the efforts of the state associations to protect dealer and consumer interests."

Montana got an early start because the state is implementing an electronic titling program with ViTu, of California, which worked with the dealer association on the legislation, Knudsen said. ViTu did not respond to a request for comment.

Dealers in Montana and elsewhere are tackling the issue, Knudsen said, because of how the two largest DMS providers handle data.

"CDK and Reynolds and Reynolds are bad players when it comes to controlling dealers' data," he said.

CDK and Reynolds and Reynolds officials reject that characterization. CDK also noted it took "immediate action" in January to make several customer-friendly changes and said it maintains an open dialogue with dealers.

Bruce Anderson, chairman of the Automotive Trade Association Executives, which represents executives of more than 100 state and local dealer associations in the U.S. and Canada, said the issues involved in using and securing dealership data are too complex to be figured out in court.

Anderson, also president of the Iowa Automobile Dealers Association, said the abuses are overcharging for access or certification and the use or reuse of data without the dealer's knowledge.

"Dealers have this stack of data that they're responsible for protecting," Anderson said. "They need to know that the vendors that they are working with are protecting it and complying with the use of it. If they don't know what's going on behind the scenes, it's tough to do that."

North Carolina already had data laws on its books, but Glaser told Automotive News the new legislation clarifies the law to protect dealers. It would give them the ability to push the data to whomever they wish while also verifying who accesses the data and for what purpose.

"If you have a third party that's coming into the dealers' DMS systems, the dealer wants the ability to know who came in and what [information] they took," Glaser said.

The bill also would give dealerships the ability to better protect data by blocking specific data categories from being shared — sensitive consumer information such as Social Security numbers. It also clarifies that data in the DMS is owned by the dealers and that they should be held harmless if a third party misuses it. The cost of a breach should be borne by whoever caused the problem, Glaser said.

Reynolds and Reynolds spokesman Thomas Schwartz said the company is reviewing how new laws and proposed legislation will affect its business.

"The legislation in these states could be interpreted as restricting our ability to secure the Reynolds DMS and the data in it in the ways we believe are necessary — and required by the [Federal Trade Commission] in order to safeguard consumer data," Schwartz said in an email.

The moves could prohibit Reynolds from preventing "unfettered system access" by third parties once dealers grant such access, Schwartz said.

The company also said some of the legislation could prevent it from protecting intellectual property in the DMS. "Our cause for concern is even higher when we view these legislative initiatives through the lens of the recent FTC announcement regarding DealerBuilt," Schwartz said.

He was referring to an FTC settlement in June with Iowa DMS vendor DealerBuilt over an October 2016 breach in which hackers gained access to the personal information of more than 12.5 million dealership customers at 130 stores.

Legal experts said it marked the first time the FTC went after a DMS company, setting a precedent for treating service providers as financial institutions under the FTC's Safeguards Rule, which requires companies to protect sensitive digital information. But the decision didn't absolve dealerships of responsibility, legal experts said.

Nor did the case settle the dispute over how much control dealers should have over data in the DMS.

CDK said in an email that the new laws in Arizona and Oregon "insert the government's judgment" into who can access sensitive data in the DMS and dictate how DMS services are priced, "including requiring the price to be zero or free."

Montana's new law prohibits charging fees and gives dealerships full control over how they share their data and with whom. Many dealers complain that some DMS providers, including CDK, charge fees to third parties, then prevent third parties from disclosing how much the fees are. CDK said dealers do have access to its fees.

Without naming DealerBuilt, CDK also noted the settlement with the FTC and said laws such as those in Arizona and Montana could make it harder to comply with heightened security requirements.

Not all DMS providers are concerned. In Montana, Cox Automotive's Dealertrack argued on behalf of dealers.

"We have a responsibility, for sure, to keep the data safe," said Mandi Fang, vice president of Dealertrack's DMS business. "But we also feel our responsibility is to enable [dealers], no matter who they choose to do business with."

The "high fees" some DMS providers charge can hinder business, Fang said.

Cox and others sued CDK and Reynolds in 2017, alleging the two DMS competitors colluded to block competition. That litigation continues. Dealers brought a similar suit, though Reynolds settled with them last fall for $29.5 million. CDK and dealers have not settled.

Privacy expert Chris Apgar sides with the DMS giants. Apgar, a data security consultant in Oregon, argued that Oregon's language gives dealerships too much control over data and makes customer information vulnerable to breaches. Apgar, who specializes in data security in the health care sector, told Automotive News that any law that appears to make data more open also makes it less secure.

"The more you can lock down the data, the better you are," he said.

For Todd Crossley, dealer principal at Gary Crossley Ford in Kansas City, Mo., the issue comes down to who owns the data and how it's paid for. He favors the legislative push and said Missouri dealers want similar provisions. Crossley was and remains a DealerBuilt customer, despite the 2016 breach. He worries he could be held liable if required to secure the data, but "that's why you do double duty" and "pay attention to who has access to your data."