Even before the retail world was rocked by high-profile personal data thefts from The Home Depot last year and Target in 2013, car dealers, their associations, vendors and automakers have been on a campaign to educate participants on good data stewardship.
With good reason, said Brad Miller, director of legal and regulatory affairs for the National Automobile Dealers Association.
Dealerships gather lots of nonpublic personal information from customers, especially in the F&I office, Miller said. That information includes credit applications, Social Security numbers, financing terms and other data that consumers expect won't be shared with, or fall into the hands of, anyone except the persons involved in their vehicle purchase.
Data breaches or even failure to have proper data-handling processes could leave stores open to regulatory fines or worse, he said.
To date, the industry has avoided high-visibility problems. But a data breach at a dealership would reflect badly on a store and, by extension, on the brand whose products are sold there, he said. "Dealers have been relatively lucky," he said.
Vendors of dealer management systems and other software firms have been on the front lines of the industry fight to ensure that car companies and service providers get sufficient information to serve customers while safeguarding their personal information.
A dealer management system, or DMS, is the main operating software of a dealership. It houses payroll, accounting, inventory management, parts, service and often customer relationship management tools. It also typically stores all customer information.
The industry's dominant dealer management system vendors are CDK Global and Reynolds and Reynolds, which together provide DMS systems to about 80 percent of franchised stores. Both companies require their dealership clients' software and service providers to undergo aggressive certification programs.
A major cog of certification is a vendor's ability to safeguard dealership data, said Bob Schaefer, vice president of data services and OEM sales at Reynolds and Reynolds.
To obtain certification, any vendor interacting with a dealer management system provided by Reynolds must demonstrate its protocols for handling data.
That includes buttoned-down contracts detailing how data will be used, whether they will be shared and the understanding that the data flow is subject to audit by Reynolds, Schaefer said.
The last item is critical because a dealership and its DMS vendor could be held responsible should customer data fall into unauthorized hands, he said. Periodic audits to test whether processes and employee training are being adhered to can prevent problems.
Schaefer said he has seen a discernible trend of dealerships that have moved, like McKinley, to pushing data out from their systems for harnessing rather than allowing vendors into their systems via pass codes.