Barrie: Cybersecurity and AI: How it Relates to Dealerships

Companies, like Subaru, have already faced cybersecurity risks on a broad scale due to their incorporation of STARLINK connected vehicle service.[2]  This past January, Subaru had a vulnerability that would have allowed hackers to remotely access personal data, including real-time vehicle locations, credit card information, vehicle PINs, and more.[3]  Beyond those capabilities, the vulnerability would have allowed attackers to remotely start, stop, and lock/unlock vehicles.[4]

Kia has also faced their own slew of issues with cybersecurity.  Mid-2024, it was discovered that simply through knowing the license plate of a Kia vehicle, hackers would be able to obtain both the personal information of the car’s owner as well as remotely control start/stop and lock/unlock mechanisms of the vehicle.[5]  This vulnerability was quickly patched by Kia, but it is a cause for concern that multiple big name automotive brands have been susceptible to attacks on potentially millions of vehicles.[6]

Artificial Intelligence has also been making waves in the automotive industry, including advanced driver assistance systems (ADAS), predictive maintenance software, as well as autonomous driving features we have seen many brands, including Tesla, Mercedes-Benz, and GM, begin to incorporate in their vehicles.  The automotive AI market was valued at approximately $4.29 billion in 2024 and is predicted to grow to over $14 billion by 2030.[7]

Cybersecurity within automobiles must be thorough, covering both wireless and wired entry points, since both are vulnerable to potential cyberattacks. In the first half of 2024 alone, there were over 100 automotive cybersecurity incidents ranging from IT systems being breached, keyless entry systems being breached, Autonomous driving assistance becoming compromised, and more.[8]  These risks put both the safety and privacy of consumers at risk.  Unfortunately, the number of automotive vulnerabilities has only increased over the years as the automotive industry has become more intertwined with software technology.  Over the course of 2024, and continuing into present day, these issues led to numerous recalls due to software defects and concerns over cybersecurity.

Many States, including Maryland, have been developing laws in order to combat cybersecurity threats, including those posed by Artificial Intelligence.  Maryland has established a framework through their Cybersecurity Council to prepare themselves to face cybersecurity breaches that threaten to harm critical infrastructure, mandating collaboration of both federal agencies and private entities in order to review and conduct risk assessments as well as recommend strategic plans to combat these attacks.[9]  As the automotive industry becomes more entangled in technology, measures must be taken by dealerships nationwide to undermine any potential risks to cybersecurity and the incorporation of AI.

How this Impacts Dealerships

Dealerships must be aware that although this is an issue that begins with the manufacturers, it still has the potential to impact dealerships in a multitude of ways.  Dealerships need to take necessary steps to minimize their liability when it relates to cybersecurity and AI.

1. Dealerships need a process to securely erase all data upon purchase of a trade or return of a loaner. Whenever the dealership acquires a trade or gets back a loaner or demo, there needs to be a policy to ensure that you securely dispose of the data on the vehicle (contacts, GPS history, etc.) before initiating further transactions with the vehicle.  The dealership needs to have a policy and staff needs to understand their roles so that loaners do not go from one customer to another with the former’s data stored in the vehicle. Have a policy, train on it, and enforce it.
2. Insurance. Typically, your general garage policy will not cover cybersecurity breaches. You will need a separate endorsement.  You need to understand what the endorsement covers.  You need to work with your insurance representative to make sure you have policies that cover you for cybersecurity breaches and minimize your out-of-pocket liability.
3. Know the vehicle and perform work, if needed. There is exposure if dealerships sell vehicles that have cybersecurity breaches, and they knew of the breach or the breach was reasonably discoverable.  Dealerships failing to keep up with the risks and reasonably discoverable risks of the vehicles they are selling could lead to lawsuits including claims of negligence, misrepresentation, and breach of warranty. Dealerships must stay on top of bulletins and recalls issued by the manufacturer, which have shown to be quite frequent due to cybersecurity breaches.
4. Secure your system It is also important that dealerships bolster their own cybersecurity systems because the potential for a dealership’s information being infiltrated by cyberattacks is only heightened once cyber-attackers are able to breach the vehicle and its software.  In order to minimize the risk of cybersecurity attacks on vehicles that directly lead to an infiltration of your systems, keep your dealership networks completely isolated from the vehicles themselves. Make sure that you are encrypting all consumer financial data and utilizing it within the bounds of state privacy laws, the FTC’s Safeguards Rule, and other relevant cybersecurity laws.
5. Hire a Compliance Company. We recommend that dealerships work with compliance companies, such as ComplyAuto, which will help get your cybersecurity systems up to par with both state and federal law (including state privacy laws and the FTC’s Safeguards Rule) in order to protect your information as well as your consumers’ information.
6. Seek indemnification from the manufacturer for its errors. OEMs have a duty to indemnify you for any suit that you are brought into as a result of cybersecurity issues that are a result from manufacturer product, error, design and/or other fault
7. Warranty reimbursement. Make sure OEMs are paying you for those recalls, warranty repairs, and over-the-air (OTA) updates that dealers assist with, as permitted under your state franchise act such as in Virginia.
8. Response plan. Develop an incident response plan for your staff to adhere to in the event of a cybersecurity breach.  The plan should have actions that need to be taken so that you are in compliance with state and federal laws.  You should seek counsel’s advice in the event of a breach.

[1] https://www.globenewswire.com/news-release/2025/02/27/3034023/28124/en/Software-Defined-Vehicle-SDV-Market-Research-2025-Global-Forecast-to-2030-with-Tesla-Li-Auto-NIO-Rivian-XPENG-and-ZEEKR-Leading-the-1-23-Trillion-Industry.html

[2] https://cybersecuritynews.com/subaru-car-vulnerability-lets-hackers-control-the-millions-of-cars-remotely/

[3] https://cybersecuritynews.com/subaru-car-vulnerability-lets-hackers-control-the-millions-of-cars-remotely/

[4] https://cybersecuritynews.com/subaru-car-vulnerability-lets-hackers-control-the-millions-of-cars-remotely/

[5] https://samcurry.net/hacking-kia

[6] https://samcurry.net/hacking-kia

[7] https://www.grandviewresearch.com/industry-analysis/automotive-artificial-intelligence-market-report

[8] https://documents.vicone.com/reports/shifting-gears-2025-automotive-cybersecurity-report.pdf

[9] Md. State Government Code Ann. § 9-2901