Pub. 1 2021 Issue 2

14 KENTUCKY AUTO DEALER CUSTOMER DATA BREACH SECURITY– DEALERS SHOULD ENSURE DATA SECURITY COMPONENTS ARE IN PLACE AND ENFORCED IN EXISTING AND PROSPECTIVE VENDOR AGREEMENTS With alarming frequency, we hear news of the latest data breach or privacy intrusion involving customer information. Indeed, as this article was going to print, reports surfaced of an OEM’s circulated memorandum to its franchised dealers advising them of a vendor data breach potentially affecting more than a reported 3.3 million customers and prospective car buyers 1 , causing the industry to once again take inventory of data security and privacy issues. According to the reports, along with public statements issued by the OEM, customer information was ostensibly collected for sales and marketing purposes by the OEM’s vendor and allegedly held in an unsecured electronic file which was compromised, impacting customers’ sensitive information related to vehicle purchases, loans and leases. Additionally, while the details of the breach are still developing, it’s been further reported that dealers that use a specific lead management program offered through the vendor may also be impacted. The OEM preliminarily reported that the customers’ potentially compromised data consisted of driver’s license numbers, and in some instances, dates of birth, Social Security numbers and account numbers, as well as email addresses and telephone numbers. So, what does this mean besides the possibility of litigation, potential liability, regulatory scrutiny and investigation and unsettled or unhappy customers? The most recent data breach incident is yet another reminder to dealers of the significance of the need to regularly evaluate the data security components of both existing and prospective vendor contracts and agreements. Customers’ privacy and their assurance of its security when doing business with your dealership is not only important to your dealership’s goodwill and reputation in the retail community, it’s also the dealership’s legal obligation. Even prior to this most recent OEM vendor security breach incident, the privacy and security of customer information has been and continues to be a primary focus of federal and state regulatory enforcement activity. In one of its recent consumer protection enforcement cases relating to breach of data security, the Federal Trade Commission (FTC) charged Ascension Data & Analytics, LLC 2 with violations of the FTC’s Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, and the Gramm-Leach-Bliley (“GLB”) Act, 15 U.S.C. § 6801 et seq., by failing to properly vet and oversee protection of customer information placed in the cloud-based storage system by its vendor. The alleged breach resulted in over 60,000 customers’ private, personal information being exposed (i.e., names, dates of birth, Social Security numbers, By Julie A. Cardosi, Law Office of Julie A. Cardosi, P.C