The FTC Information Safeguards Rule has been around for more than a decade, so most suppliers will agree to protect the non-public personal information (“NPPI”) of your customers. However, a supplier does not have to share NPPI for your information to be valuable. It does not have to reveal the name and personal information of the buyer of a new vehicle to sell the prices at which you sold each model, what you charge for doc fees on average, or an array of other information. Your information, when compiled and sold, or when used by the company for its own uses, is valuable.
Dealers often request contract language they can use to protect the information to which a supplier has access. That is a good idea, but it will not provide strong security unless you carefully check out the suppliers with which you do business. Doing business with a company with limited resources you can find only in the virtual world will leave you with no recourse if agreements are breached. In dealing with the suppliers who seek access to your DMS data, there are four Ws to keep in mind to investigate whether you really want to do business with the supplier and give it your data.
Why do you need access to the DMS data? The best rule is that you should not allow open access to your data. Have the supplier carefully define the data it needs, review why it needs the data, and push the data you agree to provide to the supplier. Allow access as an exception for a compelling reason.
Who are you? What do you know about the company asking for access to your data? Is it an established company with solid financials with a great deal to lose if it breaches its agreement with you? Or is it a company that can shut down and set up under a new name if there is a hint of trouble? Just as you should know your customers, know your suppliers. Is the supplier financially solid? Is it in business for the long-term? Get references and call them. Review standard business ratings services to determine how others have rated the supplier. Ask about their finance sources, and call those finance sources to check out the supplier. Always know who you are dealing with.
Where are you? If you have a problem, how will you find the supplier? Does the supplier have a fixed address? Or does it have only a cyber-presence? If you want to sue the supplier over misuse of your data, how will you find that supplier and where can you sue?
What are you going to do with the information? Any information shared with a supplier should be designated only for servicing your account. The supplier should not use it for its own purposes. It should not be allowed to sell the information. The supplier should not be permitted to create compilations of data from your information, whether the compilations are drawn just from your information or from information lumped with data from others that it can use or sell.
Your first line of defense for preserving your data is to protect it, to share it only to the extent necessary, to insist upon its protection and use only for you by a supplier that is a solid business you can find and hold responsible.
Unless the supplier can answer the four Ws to your satisfaction, find another supplier.