Data security is becoming an increasingly public concern as databases from large retailers continue to be breached and consumer information exposed. Congress is holding hearings this week with top data security professionals to discuss how best to prevent future breaches. The concern is so high that Congress is considering implementing national policy to better safeguard consumers. Data security certainly isn’t a new topic to dealers. In fact, there have been some very high-profile automotive vendors that have felt the backlash of dealers when the dealers felt that their customer data was being used for purposes other than what they thought they should be using it for.

In the automotive space, data is necessary in almost every aspect of operations. You think Target had it rough when it was breached? The thieves in that case managed to compromise 110 million consumers’ credit and debit card information. Dealerships have exponentially greater liabilities when it comes to data security. In addition to processing credit card payments, dealerships collect much more in-depth personal information from consumers perhaps second only to financial institutions. Consumers trust that dealers will protect that data which includes hyper-sensitive information like their addresses, dates of birth, social security numbers, driver’s licenses and more.

Dealers are simply stuck between a rock and a hard place. On one side, the FTC mandates that dealers not share nonpublic personal information with anyone without receiving the customer’s permission. The other side sees the necessity of dealers partnering with vendors to facilitate customer data management, targeted marketing pieces and inactive customer follow up (just to list a few) yet to do so the dealer needs to share nonpublic customer data. According to a recent article in Automotive News, now OEMs are demanding (yes, demanding) data from its dealers even to the point of threatening to withhold quarterly incentive payments if their dealers fail to do so. These financial penalties could amount to literal “fines” from the OEM to the dealer for non-compliance.

Nobody is debating the need for data security or the necessity of dealerships sharing data with vendors in order to help dealers facilitate operational and marketing efforts. Dealers need to know, however, that ultimately the FTC is going to hold them responsible for any data breaches that expose their customer information regardless of whether the breach happened within their systems. Compliance and data security issues will only continue to escalate. As the U.S. Government gets more involved, dealers will have to ensure that they are not only in compliance with their state laws but also with any federal laws… and it seems like that hammer is about to fall… hard.

Dealers need to be aware of who they are sharing their data with, exactly what data is being shared and what is being done with it after the fact. The days of carte blanche DMS access for vendors are gone. “Dealers should never let vendors have full access to a dealership management system or customer-retention data without knowing what data fields are being pulled”, advises Brad Miller, director of legal and regulatory affairs for the National Automobile Dealers Association.

We recognize that sensitive customer information is needed to create and deploy powerful, targeted marketing over many channels. Without access to a dealership’s data, many vendors simply could not remain in business. Our jobs as vendors are to assist the dealer while ensuring that in no way do our services expose them to liability. On the other side of the coin, dealers need vendor technology to increase revenue through customer retention and acquisition marketing in the same way it needs CRM and DMS systems to operate. Dealers need to have confidence in the partners that they choose. Choosing vendor partners based on price could prove to be more expensive in the long run if data security issues arise.

Knowing who you are working with, what data they need, what you are giving them and what they are doing with it is an obligation you assume the minute a customer hands you their credit card or fills out a credit application. You have to understand exactly what data the vendor needs and ensure that you are not providing additional data that isn’t necessary for them to complete the service you’ve hired them for. The public’s hyper-awareness of data security and heightened concern regarding it due to the recent incidents of data breaches make it even more important than ever for dealers to ensure that they are doing their due diligence by partnering with vendors that have appropriate security processes in place to protect consumer data and, by extension, the dealership. Even the vendor with the best intentions can put a dealer at risk without written process documentation and adherence to the strictest data security standards.