Dealerships also should make sure they know their vendors' security practices and require that data protection provisions are part of contracts, Baumann said. That could include requiring that the data only be used to provide dealership services.
"Once information leaves a dealership," Baumann said, "it's hard to exert any control over it."
Dealership marketing company Outsell takes in customers' names, email and physical addresses and some vehicle information, such as repair actions performed, said Chris Johnson, vice president of development.
The company allows employees to access only the information they need to perform their roles, Johnson said.
"The best way to avoid having any kind of issues around sensitive data is first to make sure you're not pulling in any sensitive data you don't need," Johnson said. "We don't need driver's license information, we don't need credit card information, to do marketing solutions."
One way to protect data at rest and when it's being transmitted is through encryption, said Erik Nachbahr, president of Helion Technologies, a dealership information technology consultant. Encryption requires keys to unlock and makes the data unreadable should an intruder access an email inbox or an internal server.
Yet encryption is also a pain point for the industry, though dealers have become more receptive to using it, Nachbahr said. Encryption often is included with security protections at little to no extra cost, he said, but accessing encrypted information also requires extra steps that create inconvenience.
Stephen Dimock, chief technology officer at WebBuy, said the digital retailing provider doesn't store personally identifiable information collected for such purposes as credit applications — Social Security numbers and birthdates, for example.
WebBuy keeps other, less sensitive information, such as a customer's occupation, generally for up to 30 days before purging it from the company's servers, Dimock said, adding that the information also is passed to a dealership's customer relationship management system and kept in accordance with the CRM provider's data retention policies. WebBuy will retain email addresses and phone numbers of customers who create accounts to manage login access.
Dimock said it's WebBuy's responsibility to be on top of data security because a customer is going to look directly at the dealership in the event of a breach.
"Security is a constant development," he said. "You're making a big mistake if you assume that you're fully covered at any given time."
David Muller and Larry P. Vellequette contributed to this report.