CDK, Reynolds have no security need to block DMS access, expert says

A cybersecurity expert who worked for the Clinton and Obama administrations says CDK Global Inc. and Reynolds and Reynolds have no justifiable "security" or "privacy" needs to block data integrators from accessing their dealership management systems.

Peter Swire, now a law and ethics professor at Georgia Institute of Technology, provided his comments in written testimony on behalf of data integration company Authenticom in its antitrust lawsuit against the software giants, which was filed May 1.

Swire's comments were included in a preliminary injunction filing Thursday, which also included testimony from several dealers and a vendor. The parties complained about the fees that CDK and Reynolds charge third-party vendors to access the consumer data needed to run their systems. The added expenses for third parties typically are passed along to vendors' dealership clients.

Collusion?

If the court approves Authenticom's injunction, the company would be allowed to access dealership data belonging to stores using CDK and Reynolds systems while the anti-trust lawsuit plays out.

Authenticom sued CDK and Reynolds because it says the two colluded to divvy up the dealership data integration business and exclude competition from the market. Authenticom says it is the last competitor left in the dealer data integration space.

CDK and Reynolds have blocked Authenticom from accessing dealership data in the name of security, but Swire doesn't buy their reasoning.

Swire wrote that Authenticom appears to use "standard and accepted techniques for transferred data." He added that the medical and financial industries handle more sensitive data than car dealerships, but they share similar data integration and "other software service provision[s]."

Swire wrote, "If those practices are sufficient to protect the more sensitive information at risk in the financial services and health care industries, it is my opinion that those practices are sufficient to address privacy and security concerns in the integration market for dealer data."

Technical mechanisms

Swire reviewed the "technical mechanisms" that Authenticom uses to pull data from a DMS and said the process is essentially the same as when a dealership employee does it.

Going further, Swire examined CDK subsidiaries Digital Motorworks and Integralink that provide data integration services for dealerships. He found that the CDK units use login credentials provided by dealerships, just as Authenticom does.

But CDK and Reynolds have routinely disabled login credentials over the years that integrators need to access a DMS. If this method is secure enough for Digital Motorworks and Integralink to use, Swire wrote, "security would not seem to be a basis for excluding Authenticom."

Adding to his argument, Swire said both Reynolds and CDK use Authenticom's integration services in some cases. Reynolds sometimes has Authenticom pull data from dealerships using Reynolds' systems for data integration with Reynolds' own applications.

Plus, Authenticom pulls data for AVRS, a wholly owned joint venture of CDK and Reynolds that provides electronic vehicle registration and titling services for California dealerships. Swire said Authenticom's security techniques must be sufficient if CDK and Reynolds are willing to trust the company to complete these tasks.

Swire wrote, "It is my opinion that the wholesale blocking of data integrators is not reasonably necessary and that independent data Integrators like Authenticom can provide data integration services while maintaining security and privacy."

You can reach Vince Bond Jr. at vbond@crain.com -- Follow Vince on Twitter: @VinceBond86

0

Shares

ATTENTION COMMENTERS: Over the last few months, Automotive News has monitored a significant increase in the number of personal attacks and abusive comments on our site. We encourage our readers to voice their opinions and argue their points. We expect disagreement. We do not expect our readers to turn on each other. We will be aggressively deleting all comments that personally attack another poster, or an article author, even if the comment is otherwise a well-argued observation. If we see repeated behavior, we will ban the commenter. Please help us maintain a civil level of discourse.

Newsletters