Imagine returning late one night from a business trip and walking across the airport parking lot to your car to drive home. You press the remote keyless-entry fob to unlock and start the vehicle. Strapped in and cellphone plugged into the charger, you're on your way. Or not. A routine drive home is impossible now that a hacker has deployed "gridlockware" to your vehicle, rendering it inoperable. You are stranded, unless you follow instructions and pay ransom.
Don't believe this could happen? A 2019 Georgia Tech study proved the likelihood only on a much larger scale with devices known as "code grabbers" that copy or intercept the signals used to remotely open and start vehicles. According to a 2019 FBI cybersecurity report, the U.S. automotive industry has been under siege since 2018 by ransomware infections, data breaches to gain access to personal information and exploit network vulnerabilities. In 2019, a massive data leak on an unsecured car-buyer marketing database exposed the personal information of 198 million records.
For years, American consumers provided personal information to dealerships only to find it potentially vulnerable to exploitation now on the dark web or in the hands of cybercriminals. California is one of the first U.S. states to pass sweeping legislation to combat this and other trends with the California Consumer Privacy Act of 2018, which took effect Jan. 1 this year.
The auto industry will start to experience what the health care and finance sectors have been facing for decades — an ever-changing and more complex privacy landscape. Specifically, the CCPA creates consumer rights for Californians that enable access to, sharing or deletion of and the ability to opt out of the sale of personal information collected by a business.
Translation: Companies need to reassess their customer practices, information life cycle and business model to adhere to the shift happening in California to empower consumers to take the lead on decisions about their personal information.
Over the years, dozens of states have enacted privacy and data-breach laws. None, however, have been as far-reaching as the CCPA, which has been compared to the European Union's General Data Protection Regulation that became effective in 2018. A major difference, though, is that the cost of a CCPA violation is not capped and includes a private right of action. With a range of up to $750 per violation, a data breach of 10,000 records could cost as much as $7.5 million — enough to spell bankruptcy for a dealership.