If you ask a random dealer what his biggest compliance concern is, you might hear “the CFPB,” “sexual harassment,” or “deceptive trade practices.” Serious issues, all. But those threats all involve what might happen at some future date. They all have serious financial consequences. But there is a bigger risk, and it is ticking like a hidden time bomb at most dealerships even as you read this article.

It is a bigger risk because it is unbelievably common. While no statistics exist, in my experience, far more than half of all dealerships are vulnerable right now.

It is a bigger risk because the monetary impact is massive, even existential. “Existential” is a big word for this magazine, but the impact could, literally, wipe out a dealership.

The greatest compliance risk is dealership data security. And before you dismiss the threat with a casual shrug and “we’re covered,” know that complacency lights the fuse. If you aren’t losing sleep over this risk, you’re either bombproof or its next victim.

The Problem

The problem stems from the fact dealerships must collect and store a vast amount of customer data, including nonpublic personal information (NPI). Increasingly, this data is stored electronically. Steal a deal jacket and you’ve stolen a single identity. Hack a DMS and you can steal tens of thousands.

A recent poll indicated more than 75% of American business owners admitted to a network compromise within the previous 12 months. This statistic is all the more sobering because the data dealerships routinely store is highly devastating if stolen, and dealers generally aren’t even aware that is has been stolen. This is one situation in which ignorance is most definitely not bliss.

The Reality

The March 22, 2016 issue of F&I and Showroom featured a story entitled “Hackers Targeting Dealerships, Firm Warns.” A dire warning it was. “According to the firm, hackers are targeting dealerships and their accounting and F&I departments.” Of course they are. To quote Willy Sutton, when asked why he robbed banks, it’s “because that’s where the money is.”

True story: I was conducting a Safeguards audit at a dealership when we discovered its DMS was being hacked even as we watched. One hundred percent of the customer data had already been downloaded and, every six seconds, whatever new data entered the DMS was being sucked out.

“That’s impossible!” protested the general manager. “We have firewalls!”

We checked and confirmed that the dealership did not, in fact, have any firewalls. The GM ran to his office and returned with a file that included a purchase order for firewalls and a canceled check representing payment for that protection. And yet, there was no firewall installed.

Care to guess who the hacker was?

But even if a properly configured firewall was installed, the dealership would not have been adequately protected. Firewalls are essential, but they are not sufficient. Relying on firewalls alone is not enough. Other easily available software and hardware safeguards must be utilized and constantly updated.

To appreciate why, let us turn to a company we all know: Petco. The purveyor of dog food and chew toys offered products through its website. The website contained Petco’s privacy policy, which, not unlike your dealership’s privacy policy, assured customers their data was being reasonably protected. Unfortunately, it was not. And of course the database was hacked. Customer NPI, including credit card data, was accessed in plain text.

The Federal Trade Commission found that Petco failed to “implement procedures that were reasonable and appropriate to (1) detect reasonably foreseeable application vulnerabilities, and (2) prevent visitors from exploiting such vulnerabilities and obtaining unauthorized access to sensitive consumer information.” Then came the kill shot: The acts and practices of Petco “constitute unfair or deceptive acts and practices.”

If your dealership doesn’t properly protect your customers’ NPI, not only are you exposed to a negligence suit, but to a class action for deceptive trade practices. So why are dealers so vulnerable? Because despite the wealth of data they contain, your attitude toward its protection doesn’t necessarily match the data’s value.

James S. Ganther Esq. is the co-founder and CEO of Mosaic Compliance Services. He is a dealer compliance expert and a prolific writer and speaker. Email him at [email protected].