We're hosting a live conversation with 40 Under 40 honorees
this Thursday at 3pm ET. Click here to learn more.

Vet outsiders with access to F&I data, consultants say

Dealerships have a vast amount of data that criminals want, with much of that data living in the F&I office. Beyond installing the proper software to protect the data in their own systems, dealers need to vet vendors and invest in programs that give them control over the information vendors see, consultants say.

If vendors use the data “downstream without dealers’ or consumers’ permission,” they are using the information illegally, said Paul MacDonald, president of TriMac Automotive Advisory Group, a dealership IT consulting firm in Hays, Kan. He is also part owner of Orem Mazda in Orem, Utah, and Bountiful Mazda in Bountiful, Utah.

Vendors require access to the dealer management system in their dealership agreements. But too often, “there is no way to specify which data fields go to specific vendors. They extract the whole sales file. Whether a vendor uses that data or not is another story,” he said.

‘Vet them’

If vendors intend to use data illegally, dealers won’t be able to stop them, said Terry Dortch, CEO of Automotive Compliance Consultants, a dealer consulting firm in Crystal Lake, Ill.

“The only thing you can do is make sure you can vet them properly,” Dortch said. “Even if their intentions are good, you want to make sure they are structured in a way that somebody can’t get into their system.”

That means physically inspecting their premises and asking them to sign a statement confirming they have proper firewalls and employee standards, he said.

The DMS providers have been slow to take steps that allow dealers to control data fields, MacDonald said. But they are moving forward.

Monitoring access

For example, DealerVault, of La Crosse, Wis., gives dealers control and visibility into what data is available to each of their vendors. Dealers can update data feeds, limit access, monitor all activity and view reports detailing when data was collected and sent to vendors, the company website says. The website also notes that DealerVault is not certified by any DMS provider. “Certification would increase the overall cost to the dealer without any added benefits,” the company says.

CDK Global began rolling out a similar program, Dealer Data Exchange, this month. It also gives dealers more visibility over data that go to third-party vendors and automakers. The launch will be complete in January, a spokesman said. In any case, dealers should be proactive with their data security.

“There is a treasure trove of data at a dealership,” MacDonald said. “And we are behind the eight ball. We don’t have the security levels that are required for the amount of data that we have.”

You can reach Hannah Lutz at hlutz@crain.com -- Follow Hannah on Twitter: @hm_lutz

ATTENTION COMMENTERS: Automotive News has monitored a significant increase in the number of personal attacks and abusive comments on our site. We encourage our readers to voice their opinions and argue their points. We expect disagreement. We do not expect our readers to turn on each other. We will be aggressively deleting all comments that personally attack another poster, or an article author, even if the comment is otherwise a well-argued observation. If we see repeated behavior, we will ban the commenter. Please help us maintain a civil level of discourse.

Email Newsletters
  • General newsletters
  • (Weekdays)
  • (Mondays)
  • (As needed)
  • Video newscasts
  • (Weekdays)
  • (Weekdays)
  • (Saturdays)
  • Special interest newsletters
  • (Thursdays)
  • (Tuesdays)
  • (Monthly)
  • (Monthly)
  • (Wednesdays)
  • (Bimonthly)
  • Special reports
  • (As needed)
  • (As needed)
  • Communication preferences
  • You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.