When a driver sells a used car to a dealership, he or she is often reminded to check around the vehicle for personal items – a cellphone, say, or maybe a child’s toy.
But what about personal data stored in the car’s computer system?
How many consumers know what type of personal information is in their vehicles when they sell it?
Personally identifiable information (PII) is data that can be used to identify a specific individual. It starts with Social Security numbers, mailing or email addresses, phone numbers and the like, but also includes a wide range of digitally available data, such as IP addresses, login information and more.
Much of that data is collected by vehicles, as users connect their smartphones to vehicle infotainment systems and use onboard navigation systems and universal garage door openers.
Text messages, call logs, home addresses and even medical and financial information are all vulnerable to theft if left behind when a vehicle is sold.
The numbers provide a true sense of the enormity of the problem of what is known as “persistent data.”
More than 80 percent of the vehicles currently operating in the U.S. are able to capture personal data, and more than four out of five cars sold last year contain personal data.
What’s most concerning is consumers are not as aware of the security risks as they should be.
A recent IBM security survey revealed only 8 percent of consumers were worried about protecting car navigation data compared to 64 percent who cared about data security in their mobile devices.
In the automotive industry – especially used car dealerships – that problem has been festering for some time.
A few individuals have been ringing the warning bell for years to alert the industry about PII in vehicles. State legislatures in California, New York and Georgia have taken the lead by enacting privacy laws, and more than a dozen other states have bills pending.
Federal agencies, including the Federal Trade Commission, are taking a hard look at the issue.
In 2017, the FTC co-sponsored a national conference with the National Highway Traffic Safety Administration and asked NHTSA to define its role and responsibilities related to the privacy of data generated by and collected from vehicles.
Currently, the issue is still largely undefined by law.
Peder Magee, a senior attorney for the FTC’s Bureau of Consumer Protection, said there is no law enforced by the bureau that specifically requires companies to delete or protect the privacy of consumers’ personal information stored in a car’s computer system.
But that doesn’t mean anything goes. Magee said the FTC can protect consumer privacy using the FTC Act’s prohibitions against unfair or deceptive practices.
“If a company makes a promise about how it protects a consumer’s personal information and fails to abide by that promise, it could open itself to enforcement under the FTC Act,” he explained.
“Similarly, even without such a promise, a company that engages in acts or practices that are unfair could be subject to an enforcement action.”
Magee said an act is considered unfair under the FTC Act if it “causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits.”
Legislative wheels move slowly, so in the meantime private firms are stepping up to try to tackle the problem.
This year, KAR Global – parent company of ADESA auctions and digital auction platform BacklotCars – launched a new training program for employees, symbolized by animated mascot Privacy Pam, to advance its commitment to data privacy in the digital age.
“As the growing patchwork of government and customer requirements continues to evolve,” KAR chief privacy officer Michelle Bray said, “Privacy Pam will help ensure every KAR employee around the globe is aligned, aware and mobilized around this priority.”
One group that’s taking a proactive approach to personal information is the American Recovery Association, the world’s largest organization of professional repossession agents.
Executive director Les McCook said in-vehicle data security is a “super big issue” for the industry.
“When you sell your car to a dealership or another person, or if it goes to auction, you’re selling more than just your vehicle,” he said. “You could be giving them personal information from your navigational unit, passwords to your garage door opener, your home address, personal photos, a list of your contacts and even banking information.”
To combat that problem, on June 1 ARA announced a partnership with Privacy4Cars. com, a technology company focused on “identifying and resolving data privacy issues across the automotive ecosystem.”
ARA members will have access to Privacy4Car’s technology to help them delete personal data from repossessed vehicles, minimize member risk and differentiate themselves from competitors.
McCook said ARA, along with “other organizations like auction houses, dealerships and finance groups,” believes Privacy4Cars founder and CEO Andrea Amico “is at the forefront of this problem and has a firm grasp on how to solve it.”
Amico said he and his staff have been developing the Privacy4Cars technology for seven years.
In 2014, he authored the first statistical study on how frequently data is left in rental and for-sale vehicles and the kinds of data found there.
While completing that project, he realized how extremely common it was for drivers and occupants to leave – and unknowingly give others access to – highly detailed digital footprints of personal information in vehicles they no longer owned or controlled.
Amico, a cybersecurity and vehicle privacy expert, designed his patent-pending process for deleting personal information from vehicles and launched his app in 2018. His company recently launched a new website that offers a variety of resources for businesses.
Repercussions
Buying and selling used vehicles whose systems contain PII creates a number of important issues, but many dealers haven’t thought about or don’t understand the potential repercussions.
If a consumer discovers his or her personal information has been shared or stolen from a vehicle sold to a dealership, that dealership could be threatened with a lawsuit – defending against which can be difficult and costly in terms of legal fees and potential fines.
At the very least, the dealership could end up with a bad reputation through word of mouth, social media, online reviews or even being spotlighted in a television news segment.
Remarketers and dealers reselling vehicles without first erasing consumer data captured in onboard computers and convenience systems can put themselves at risk of violating consumer protection laws, Amico said.
“Dealers have to realize that whoever holds the title to a vehicle is responsible for any data security problems or breaches,” Amico said.
“They have to treat a vehicle like any electronic device, such as a smartphone or computer.
“Once they face a lawsuit, the math quickly adds up, especially for independent dealers. It’s just good data hygiene to eliminate the personal data.”
Whose Responsibility Is It?
Because there is no federal law that specifically addresses data stored in vehicles – rather, the issue is covered by an assortment of laws from state to state – it isn’t always clear who has responsibility for that data.
But ignoring the issue is taking a risk.
Steve Levine, an attorney and chief legal and compliance officer of Ignite Consulting Partners, said the responsibility falls on the dealership to wipe a used car clean of any personal data.
“This problem has been on the auto market’s radar for years,” he said. “As cars continue to be more connected and more people carry smart devices, it will continue to be a bigger problem. And eventually, every car will be impacted.”
Levine likens the issue to a similar case years ago involving copy machines.
Offices and businesses leased copy machines, and every time a copy was made, the image was stored in the machine.
When the copy machine company picked up the old machine, it also carried away a lot of personal and corporate data stored on the machine – resulting in litigation.
Levine said those suits can be based on state privacy laws or negligence claims. And, he added, “Plaintiffs’ lawyers will attempt to fit their claim under an unfair or deceptive acts and practices claim to try to get triple damages and attorney’s fees.”
Levine said customers should be concerned when they sell or return a vehicle to a dealership.
“They don’t know where their vehicle will end up – on the dealer’s lot, at auction… Who knows?” he said. “Plus, the majority of car owners have no idea how to wipe their data off of their vehicle.
“Dealers have to take this onto themselves and do right by the customer. It deserves consideration by the dealership to put it into policy and develop a process to protect the customer.”
Some dealers are already doing that.
One of them is Jeff Watson, owner of 4 Seasons Auto Sales in St. George, Utah. Two years ago, he added “depersonalization” to his dealership’s reconditioning process.
Previously, his service team simply looked in the glove compartment and trunk for personal items and removed stickers and decals.
Now the team resets the vehicle to its original factory settings and deletes any personal data, including addresses in navigation systems, phone numbers and even music lists.
“I learned about that from my NIADA Dealer 20 Group,” Watson said. “Then I tested it with my own car that I recently sold.
“With the rise of ID theft, it’s certainly something dealers need to keep on their radar. It’s very easy to implement as a policy.”
Privacy and Security Laws
As governments begin to address the issue of persistent data, they must answer one question: Who should be responsible for wiping a car clean of personal information before it’s sold?
Manufacturers? Dealerships? Auctions? Technology providers? Consumers?
And should it be a federal issue or a state issue?
“I believe the onus should be on the automobile manufacturers,” said Joel Kennedy, president of the National Automotive Finance Association, a trade association serving the non-prime auto financing industry.
“If they make it easy for a consumer to populate the car with data, they should take responsibility for helping the consumer wipe the car clean of that data.”
Charles Henderson, a security expert and Global Managing Partner of the IBM Security X-Force, said automakers will likely do just that in the not-too-distant future.
“I expect the auto industry will improve mechanisms to clear out persistent data,” he said. “Why should a third party have to fix the problem?”
For now, the data privacy challenge continues to grow. Newer connected vehicles that collect more data will be put on the road. Legacy vehicles will continue to change hands, and personal data will move to every new owner.
Auto manufacturers will develop more connected technology that makes driving easier and safer – but captures more personal data.
Amico suggested dealerships should look at this scenario as an opportunity to set themselves apart from competitors by wiping personal data from their cars – and promoting that fact.
Smart dealers, he said, can get ahead of the curve and market that as a competitive advantage over other dealerships that don’t offer the service.
“This is a massive problem that hasn’t been addressed,” McCook said. “And we’re barely seeing the tip of the iceberg.
“It won’t be a cakewalk to solve it, either. Last year, we had 2 million repos in the U.S. That means 2 million opportunities for personal data to be lost. Who is going to step up to the plate?”
What Can Dealerships Do?
Here are some tips from industry experts on minimizing risk from persistent data:
- If you buy a vehicle from an auction, ask the auction what steps it has taken to clean data out of the car. Auctions can easily use the manufacturer’s remote access system to reset the vehicle according to its VIN – it takes only a day to do it.
- Put a process in place to remove consumers’ personal data. Just as a vehicle is inspected for safety and maintenance issues and reconditioned when it’s taken in, wiping the vehicle of personal data and resetting it back to factory settings should be included on the checklist.
- Adopt third-party technology to erase personally identifiable information.
- Call the vehicle’s manufacturer directly to gain remote access to erase the data.
- Work with consumers. Ask them questions and check vehicles for any type of personal information before accepting them onto your lot.
- Become more active politically and ask local and state legislators about enacting laws regarding this issue.