top of page
  • Writer's pictureJulie A. Cardosi


With alarming frequency, we hear news of the latest data breach or privacy intrusion involving customer information. Indeed, as this article was going to print, reports surfaced of an OEM’s circulated memorandum to its franchised dealers advising them of a vendor data breach potentially affecting more than a reported 3.3 million customers and prospective car buyers[1], causing the industry to once again take inventory of data security and privacy issues.

According to the reports, along with public statements issued by the OEM, customer information was ostensibly collected for sales and marketing purposes by the OEM’s vendor and allegedly held in an unsecured electronic file which was compromised, impacting customers’ sensitive information related to vehicle purchases, loans and leases. Additionally, while the details of the breach are still developing, it’s been further reported that dealers that use a specific lead management program offered through the vendor may also be impacted. The OEM preliminarily reported that the customers’ potentially compromised data consisted of driver’s license numbers, and in some instances, dates of birth, Social Security numbers and account numbers, as well as email addresses and telephone numbers. So, what does this mean besides the possibility of litigation, potential liability, regulatory scrutiny and investigation and unsettled or unhappy customers?

The most recent data breach incident is yet another reminder to dealers of the significance of the need to regularly evaluate the data security components of both existing and prospective vendor contracts and agreements. Customers’ privacy and their assurance of its security when doing business with your dealership is not only important to your dealership’s good will and reputation in the retail community, it’s also the dealership’s legal obligation.

Even prior to this most recent OEM vendor security breach incident, the privacy and security of customer information has been and continues to be a primary focus of federal and state regulatory enforcement activity. In one of its recent consumer protection enforcement cases relating to breach of data security, the Federal Trade Commission (FTC) charged Ascension Data & Analytics, LLC[2] with violations of the FTC’s Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, and the Gramm-Leach-Bliley (“GLB”) Act, 15 U.S.C. § 6801 et seq., by failing to properly vet and oversee protection of customer information placed in the cloud-based storage system by its vendor. The alleged breach resulted in over 60,000 customers’ private, personal information being exposed (i.e., names, dates of birth, Social Security numbers, loan information, etc.), and the FTC sought to hold the mortgage data analytics company responsible for the breach of its hired vendor in failing to develop, implement and maintain a comprehensive information security program in contravention of the Safeguards Rule. The Safeguards Rule requires that third-party service providers also be mandated to protect the security of customers’ personal information. Parenthetically, in the most recent security breach incident involving the OEM and its vendor, the OEM advised its dealers that it has informed the appropriate law enforcement authorities and is working with cybersecurity professionals to assess the scope of the problem.

Importantly, the privacy and security consumer protection laws cited above also apply to auto dealers which is one reason the most recent OEM vendor data security breach should serve as a reminder to all auto dealers to ensure they and their vendors have comprehensive programs in place for the protection and security of customer information. This includes but is not limited to: (i) ensuring any potential third-party service provider has developed, implemented and maintains a comprehensive information security program before the dealer enters into a business relationship with that vendor; (ii) requiring contractually that all third-party vendors comply with applicable federal and state statutory and regulatory requirements and prescribing contractually such vendors’ responsibility for compliance and for ensuring the security of customer information pursuant to the Safeguards Rule and related federal and state law requirements, including listing the safeguards vendors must have in place and follow; and (iii) continuously monitoring third-party service vendors’ compliance with applicable federal and state laws and adherence to the contractual requirements through the dealership’s establishment and implementation of an audit program to effectively monitor the vendors’ practices.

Protection of customer data and ensuring your third-party service providers do the same is not only vital to your business, it is also your legal obligation. Ensure your data security programs and those of your vendors are in place, implemented and strictly monitored. Dealerships’ compliance with their legal obligations including ensuring compliance by their third-party vendors will serve to protect the security of customer data and preserve the dealership’s good will and business success.

[1] Vellequette, Larry P., “Vendor Linked to VW Data Breach Named in Memo to Dealers”, Automotive News, June 11, 2021. [2] See In the Matter of ASCENSION DATA & ANALYTICS, LLC,

23 views0 comments


bottom of page