Recently, I learned that my local legislature in Arizona is considering a bill to require highly secure enterprise computer systems to provide system-level access to companies that they do not know, have not scrutinized, and/or consider hostile. These systems house and process financial and sensitive data of millions of consumers, hundreds (or thousands) of financial institutions, and all the credit-reporting agencies. Perhaps even more remarkable is that these bills are being considered in several states, and by the time you read this, may already be law in two states.
The Arizona bill is House Bill 2418. The Montana bill is House Bill 617. Oregon is House Bill 3152. North Carolina is House Bill 455.
Why is this happening, and why is it so far under the radar?
Apparently, there is a dispute between automobile dealers and the providers of dealer management systems, the enterprise computing systems that connect dealers with car manufacturers, service providers (e.g., consumer lenders, warranty and insurance companies, and apps such as Cars.com), and everyone who test drives, purchases or services a car at the dealership. There are about a dozen DMS providers and 14,000 dealerships nationwide. That’s a lot of personally identifiable information and other sensitive data.
The biggest DMS providers take data security very seriously and scrutinize every company that wishes to access the system. Dealer employees get the highest levels of access. Manufacturers and all approved service providers connect through certified interfaces that carefully manage and monitor activity to protect system integrity and data security. Data syndicators — third parties whose activity is merely moving data between the DMS and service providers — are never approved by the biggest and most secure DMSes. It’s a trust and security issue. That’s where the problems arise.
Now a group of unhappy dealers and data syndicators asked the National Automobile Dealers Association to draft model legislation that forces DMSes open, and now the powerful state dealer associations are pushing these bills. Privacy, cybersecurity and consumer protection experts are not aware of these bills because they are buried in larger franchise legislation that is being heard in transportation committees or general business committees where privacy and data and consumer protection issues are not often considered.
Clearly, these committees also don’t understand what they are reading, because it is spun as “cybersecurity for the dealers’ data.” It may be the dealers’ data, but it is not the dealers’ systems. The bills permit the clients (the dealers) to grant access to the DMS providers’ systems (which the dealers have to purchase licenses) to any third party – against the licenses, against the providers’ wishes, against all known security and privacy protocols — open access for all — woo-hoo!
Additionally, the legislatures don’t worry about violating the contracts clause of our constitutions (or the takings clause either – seems like private property is being taken by the government ...).
I wrote an op-ed in an Arizona newspaper to call attention to this terrible legislation, but it passed unanimously in the House of Representatives and Senate and is awaiting the governor’s signature or his inaction.
There was also a news story on it by ABC15, and as is apparent, it is being spun as a cybersecurity bill for the dealer data. Even the cybersecurity expert, whom I greatly respect, doesn’t pick up on the fact that the dealers are being legally allowed to let in any third party they choose into someone else’s system despite that these third parties won’t be vetted by the system owners and have in the past been sued and admitted to hacking practices to get into these same systems.
We need more privacy and cyber experts to get engaged and stop these bills. Who wants to help?
Photo by Markus Spiske on Unsplash