The issues around control and protection of customer data between DMS providers and dealers have long been a topic of concern and the subject of litigation in the industry.
Jared Allen, vice president of communications for the National Automobile Dealers Association, said in an emailed statement that dealers rely heavily on their technology vendors to adequately protect the sensitive data that they obtain and store.
"We are aware of the issue with this vendor, and are keenly aware of the tremendous data security challenges dealers face, which we have been working in earnest for many years to address," Allen wrote.
More recently, dealers have tried to gain more control over the data by turning to their statehouses. Laws in Arizona and Montana, which allow dealers to share their DMS data with any third party of their choice while also prohibiting DMS companies from charging fees, have passed and were signed into law this spring.
Similar legislation has been introduced in at least two other states, including Oregon and North Carolina.
Robert Glaser, president of the North Carolina Automobile Dealers Association, said proposed legislation in that state would help shield dealers from liability.
"It comes down to who's responsible in the event of a breach, and the dealer's fundamentally responsible to protect that data," according to the Gramm-Leach-Bliley Act, Glaser said. "Dealers fundamentally believe that if that data lies in their system, they're fundamentally responsible to protect it."
Dealerships involved in the DealerBuilt breach are a potential case in point. Those clients could still be contacted by disgruntled customers or regulators for failing to select a vendor that complied with the Safeguards Rule, said Jim Ganther, president of Mosaic Compliance Services.
He added, "My advice for the dealers: Lawyer up, be proactive and keep your checkbooks warm."
David Muller contributed to this report.