Protecting consumer data is a critical undertaking in the finance and insurance office, and state regulators are upping the ante on how they monitor it. But while most eyes are on California, dealers should be watching the East Coast as well.
The New Jersey attorney general's office is homing in on businesses that improperly manage customers' personal information. That includes car dealerships.
A new data privacy and cybersecurity unit will focus on Internet privacy and data security investigations, according to the attorney general's website. "The creation of a dedicated section highlights the critical importance of the subject area and the increasing need for vigilance of consumer data in today's digital age," the site says.
For years, New Jersey has been on the shortlist of states with attorneys general known for active regulation in auto retailing. Last year, the New Jersey attorney general's office filed a consent order against the dealership management software company DealerBuilt after a data breach affected at least four dealerships in the state and at least 2,471 New Jersey residents. DealerBuilt agreed to an $80,784 settlement.
Interestingly, instances of data breaches — and the number of affected consumers — declined in the Garden State last year. There were 906 data breaches reported to the New Jersey State Police in 2018, according to an October report from the New Jersey attorney general and the state's division of consumer affairs, down from 958 in 2017.
The number of affected residents plunged more than 90 percent, from 4.3 million in 2017 to 358,000 last year. But the regulators noted that the drop doesn't indicate an overall downward trend but instead reflected the large number of residents affected by the massive 2017 data breach at Equifax. Putting aside the Equifax year, the affected resident count in 2018 was more than triple the count in 2016.
Finance and banking, health services, business services and retail trade are the sectors most often associated with data breaches, the departments found.
New laws and regulations such as the California Consumer Privacy Act are also heading to dealerships. Effective Jan. 1, the act requires businesses to honor consumers' demands to access personal information collected about them; know whether their personal information is sold or disclosed and to whom; and opt out of the sale or sharing of personal information, among other stipulations.
Dealers, be aware of the consumer protection activities going on in other states. Even without doing business in those locations, a dealership's F&I office could be affected should copycat legislation come to its state, or should its own state form oversight departments similar to the one in New Jersey.