Industry puzzles data privacy maze

Imagine returning late one night from a business trip and walking across the airport parking lot to your car to drive home. You press the remote keyless-entry fob to unlock and start the vehicle. Strapped in and cellphone plugged into the charger, you're on your way. Or not. A routine drive home is impossible now that a hacker has deployed "gridlockware" to your vehicle, rendering it inoperable. You are stranded, unless you follow instructions and pay ransom.

Don't believe this could happen? A 2019 Georgia Tech study proved the likelihood only on a much larger scale with devices known as "code grabbers" that copy or intercept the signals used to remotely open and start vehicles. According to a 2019 FBI cybersecurity report, the U.S. automotive industry has been under siege since 2018 by ransomware infections, data breaches to gain access to personal information and exploit network vulnerabilities. In 2019, a massive data leak on an unsecured car-buyer marketing database exposed the personal information of 198 million records.

For years, American consumers provided personal information to dealerships only to find it potentially vulnerable to exploitation now on the dark web or in the hands of cybercriminals. California is one of the first U.S. states to pass sweeping legislation to combat this and other trends with the California Consumer Privacy Act of 2018, which took effect Jan. 1 this year.

The auto industry will start to experience what the health care and finance sectors have been facing for decades — an ever-changing and more complex privacy landscape. Specifically, the CCPA creates consumer rights for Californians that enable access to, sharing or deletion of and the ability to opt out of the sale of personal information collected by a business.

Translation: Companies need to reassess their customer practices, information life cycle and business model to adhere to the shift happening in California to empower consumers to take the lead on decisions about their personal information.

Over the years, dozens of states have enacted privacy and data-breach laws. None, however, have been as far-reaching as the CCPA, which has been compared to the European Union's General Data Protection Regulation that became effective in 2018. A major difference, though, is that the cost of a CCPA violation is not capped and includes a private right of action. With a range of up to $750 per violation, a data breach of 10,000 records could cost as much as $7.5 million — enough to spell bankruptcy for a dealership.

There's still time for dealerships and their vendors to comply as the CCPA won't be enforceable until six months after California's attorney general issues the final regulations — or no later than July 1.

At least nine other states — including New York, Maryland, Massachusetts, Oregon and New Jersey — also are considering consumer privacy laws, raising the fear that companies will have to contend with a maze of different regulations to demonstrate compliance. The federal government has passed privacy laws protecting specific classes of consumers — such as the Health Insurance Portability and Accountability Act for patients and the Children's Online Privacy Protection Act to regulate the collection of personal information from children. So far, however, it hasn't been able to enact a broad national policy on par with the EU's GDPR.

Until then, the best course of action for any auto manufacturer that or dealer who collects and maintains databases of customer information is to seek expert guidance and aim to achieve a level of compliance that meets or exceeds the strictest regulatory regime now in place. In the U.S., that benchmark was set by California; globally, GDPR is considered the standard.

You can re-examine your data privacy policies with these steps:

• Perform a privacy-compliance readiness assessment to obtain a snapshot of your organization's compliance posture to remediate gaps and mitigate risks.
• Review internal and external privacy procedures to ensure corporate policies and information security safeguards are compliant with the law, communicated appropriately and to which your organization can adhere.
• Review third-party vendors and contractors to ensure agreements and contracts capture the level of specificity for procedures and security safeguards required of vendors and third parties.

Stories such as the vehicle ransomware attack are real and the network data breaches too common — and growing. The CCPA will go a long way to requiring manufacturers and dealerships, and their business partners, to identify network vulnerabilities, reduce privacy risks and implement more stringent safeguards to help mitigate the impact of or prevent such attacks.

Stakeholders from across the auto industry need to reassess their privacy policies and business practices through a customer-focused lens. Data privacy tune-ups prior to the July 1 deadline can mean fewer challenges — and the protection of financial losses — down the road.