MOVEit and Loseit: You Need a Compliant Dealer Data Sharing Process
In an era where personal data is one of the most valuable commodities, ensuring its security has become an urgent concern for both companies and regulators. An important warning for dealers and their Dealer Service Providers (DSPs) is the recent data breach that affected Clearwater Credit Union and several other financial institutions due to the security vulnerabilities present in a vendor’s software, MOVEit. Clearwater, a financial institution with nine locations and being roughly the same size as a small dealer group, probably never envisioned being caught in a massive data breach spanning dozens of countries and potentially hundreds of companies.
However, Clearwater’s contracted vendor was using the MOVEit software, leading to the loss of sensitive personal information for over 25,000 customers. Although we are still in the early days of this data breach’s fallout, we anticipate the Federal Trade Commission to start an investigation under the Revised Graham-Leach-Bliley Act (Safeguards) because the breach involves a financial institution.
Dealerships face the same risk of regulatory investigation, exorbitant fines, and ruinous litigation as this credit union. Under the FTC Safeguards Rules, they are also classified and regulated as ‘financial institutions’. Clearwater’s potential consequences could include class action lawsuits, regulatory investigations, and possible Safeguards fines of up to $1.2 billion for the mishandling of 25,000 customers' data. Alarmingly, Clearwater Credit Union and local dealerships share the same regulatory risk around consumer data but lack the same robust resources to protect it as major financial institutions.
As the DSP, you are liable.
If your dealer system was facilitating data transfer to a breached third-party vendor, your dealers' problems are your problems, too. As the DSP, you are liable for sending dealer data to the breached provider if the dealer did not provide their prior express written consent.
This liability extends to all DSPs, including DMS, CRM, and other systems that share dealer data. This is a stark illustration of the data security complexity that exists in today’s deeply connected business ecosystem.
This incident emphasizes the urgency of robust data security measures, not only within a financial institution like a credit union or dealership, but also throughout their extended networks of DSPs and third parties. The FTC’s GLBA Safeguards revisions further underscore this by making financial institutions, including dealerships, liable for their vendors' (mis)handling of consumer data.
Dealers will first be investigating their DSPs
Before dealers accept liability for another vendor's data breach, dealers will first be investigating their DSPs to provide evidence that a breached vendor obtained data with their prior express written consent. This opens up the possibility for the dealer’s Safeguards liability to be transferred to the data provider. By sharing dealer data, you are sharing your dealers' risk.
DSPs could be facing up to $5 billion in FTC fines
In such a landscape, it’s crucial that you have the right tools to prove secure data sharing practices to your dealers and regulators on the hunt for noncompliance. In our example situation, DSP B would be at risk for FTC Safeguards violations of up to $50,120 per violation. Assuming they had 100,000 consumer records breached by the Third Party Provider and could not provide evidence of secure data handling practices (among other Safeguards responsibilities), the DSP could be facing up to $5 billion in FTC fines due to the Third Party’s data breach. And that doesn't even include the costs of a potential class action lawsuit from dealers or consumers. At the core of these risks lies the obstacle of efficiently managing dealer data sharing authorizations during the vendor integration process, a challenge that your DSP is likely facing today. Reduce your risk with Activate.
Proving Process Compliance with Activate
Activate is an automated workflow tool designed to make your dealer integration activation process efficient, ensure compliance with your data sharing policies, and meet the compliance demands of your dealers. It’s designed to empower you to reduce risk and navigate the complex ecosystem of dealer data sharing with confidence.
At the heart of Activate is the capability to streamline and automate the dealer authorization process. When an integrator enters a dealer’s information, an automated email is triggered to the dealer requesting their e-signature for data transfer authorization. This straightforward and efficient process eliminates the often chaotic, error-prone methods of securing authorization - significantly reducing potential for unauthorized data transfer. It safeguards your organization in the event of a data breach like the one experienced by Clearwater.
Why Activate?
Activate goes beyond basic data-sharing compliance. It provides a detailed record of every activation, creating an invaluable asset during audits or dealer-initiated inspections. Its centralization and transparency enables your organization to quickly pinpoint which dealers may have been affected by an integrated vendor’s data breach and prove that your process guarantees the data transfer was authorized by the dealers.
In a world where data breaches like the one affecting Clearwater Credit Union are becoming more pervasive each day, it is critical that you have a secure, efficient, and automated process for managing dealer data sharing authorizations. Don’t wait for your dealers to approach you after a breach occurs with one of their other vendors.
Foster enduring trust and long-lasting dealer relationships by affirming your commitment to regulatory guidelines. Demonstrate respect towards your customers' sensitive data by properly handling dealer data sharing authorization. Activate doesn’t just tick boxes. It’s a commitment to your dealers and reduces your risk of getting caught in the cross-hairs of an FTC Safeguards investigation. It’s not just an advantage, it’s a necessity.
Get in touch with Motive Retail for a demo and start using Activate today!
Leave a Comment