August 12, 2020
Don’t Let Your Car Dealership Become a Target – Ensure Your Client Data is Compliant and Secure

With the introduction of the Patriot Act of 2001 to combat money laundering, car dealerships were forced to play the role of Secretary of State, credit agency, and online business. The mass amount of client information flooding through a dealership’s network is subject to strict compliance regulations, but how secure are they?

During the car sales process, a client’s data is entered into systems such as ADP or Reynolds & Reynolds Retail Management System. Both are typical browser-based web applications that are secured in transit and encrypted on backend systems. However, it’s the local-level dealership that is often overlooked when it comes to securing sensitive information. Malware may already sit on the dealer’s desktop actively relaying personal client information directly to a malicious actor.

In a 2018 study by CDK Global*, 85% of dealership employees in an IT-related role confirmed that their franchise was a victim of a cybersecurity incident within the last two years. Automotive manufacturers reported that 73% of dealerships do not utilize Security Information Event Management (SIEM) solutions, while 66% have never conducted a formal risk assessment to identify internal and external cybersecurity risks. The study also reported that 65% of dealerships do not conduct regular tests for security systems and processes, and 63% do not have a formal process to respond to a security incident.

Furthermore, dealerships offering financing options are subject to the same state and federal laws as any financial institution – notably, the Safeguarding Rule of the Gramm-Leach-Bliley Act. The rule states that financial institutions must develop a written information security plan describing the processes and procedures for protecting a client’s non-public information (NPI). They must also conduct a thorough risk analysis on each department that touches the NPI, as well as develop, monitor, and test their security safeguards. These safeguards must:

  • Ensure the security and confidentiality of client data
  • Protect against anticipated threats to the security or integrity of collected data
  • Protect against unauthorized access to or use of data that may result in substantial harm or inconvenience to the client
  • Ensure the proper disposal of client information

The penalties for non-compliance can be detrimental with up to $100,000 per violation, $10,000 in personal fines, and potential imprisonment for officers and directors of the institution. Based on the numbers presented in the CDK Global study, we can assume that more than 60% of car dealerships offering financing options are non-compliant with federal laws applicable to financial institutions.

If a dealership is hacked and client data leaked, the dealership will not act as a sole suspect of the investigation and subsequent penalties.  Last year, client data was breached at both Toyota and Lexus through vulnerabilities at their Japanese dealerships. The breach released 3.1 million items of information to hackers and made brand-damaging headlines across the world. In a survey by Total Dealer Compliance**, 84% of consumers indicated they would not purchase a vehicle from a dealership that had been compromised.

The reverse is also true – well-strategized security practices can be a major selling advantage for automotive dealerships and consumers. According to Total Dealer Compliance***, 68% of consumers are more likely to purchase a car from a dealership that adheres to all federal regulations, 77% are more likely to refer friends and family to dealerships that prioritize compliance, and 73% of consumers are more comfortable doing business with dealerships that mandate security compliance training for their employees and display certifications of completion.

So, what can you do about it?

As a Client

  • Ask what steps the dealership takes to protect your data
  • Ask about data retention policies – where does your information go and how is it being stored?
  • Ensure the dealership has a plan in place to protect your sensitive information both on and off-premises

As a Dealer

  • Ensure your dealership isn’t using outdated technology to process client information
  • Train your team on security compliance and threats facing your industry
  • Review data retention policies to ensure client information is properly stored

There are many reasons why automotive dealerships should adopt a security-focused mindset and begin adapting tools, training, and technology to make the most of their cybersecurity posture. Together, we can ensure a more secure industry and a safer client experience.

Contact CBI today and hear how we can help you develop a more comprehensive security plan.

*Protecting Your Dealership from Cyberattacks in 2019: Insights: CDK Global. (2019). Retrieved from

**Computer Security Press Release, (2015). Total Dealer Compliance.

***Consumer Trust Infographic, (2018). Total Dealer Compliance. Retrieved from

About the Author
Jacob Mathis
Jacob Mathis
Security Engineer
Jacob is a multifaceted, detail-oriented, and technically inclined information security professional from the southeast Michigan area. He attended Eastern Michigan University for a degree in Information Assurance & Cyber Defense where he specialized in open source intelligence techniques. Jacob now works as a Security Engineer on CBI’s Architecture & Implementation team.

Jacob grew up in the automotive industry, helping dealerships manage their IT infrastructure. Thanks to his family trade, he was given a firsthand look into the world of information technology within the automotive vertical.
I Need To...