When a driver sells a used car to a dealership, he or she is often reminded to check around the vehicle for personal items \u2013 a cellphone, say, or maybe a child\u2019s toy.<\/p>\n\n\n\n
But what about personal data stored in the car\u2019s computer system?<\/p>\n\n\n\n
How many consumers know what type of personal information is in their vehicles when they sell it?<\/p>\n\n\n\n
Personally identifiable information (PII) is data that can be used to identify a specific individual. It starts with Social Security numbers, mailing or email addresses, phone numbers and the like, but also includes a wide range of digitally available data, such as IP addresses, login information and more.<\/p>\n\n\n\n
Much of that data is collected by vehicles, as users connect their smartphones to vehicle infotainment systems and use onboard navigation systems and universal garage door openers.<\/p>\n\n\n\n
Text messages, call logs, home addresses and even medical and financial information are all vulnerable to theft if left behind when a vehicle is sold.<\/p>\n\n\n\n
The numbers provide a true sense of the enormity of the problem of what is known as \u201cpersistent data.\u201d<\/p>\n\n\n\n
More than 80 percent of the vehicles currently operating in the U.S. are able to capture personal data, and more than four out of five cars sold last year contain personal data.<\/p>\n\n\n\n
What\u2019s most concerning is consumers are not as aware of the security risks as they should be.<\/p>\n\n\n\n
A recent IBM security survey revealed only 8 percent of consumers were worried about protecting car navigation data compared to 64 percent who cared about data security in their mobile devices.<\/p>\n\n\n\n
In the automotive industry \u2013 especially used car dealerships \u2013 that problem has been festering for some time.<\/p>\n\n\n\n
A few individuals have been ringing the warning bell for years to alert the industry about PII in vehicles. State legislatures in California, New York and Georgia have taken the lead by enacting privacy laws, and more than a dozen other states have bills pending.<\/p>\n\n\n\n
Federal agencies, including the Federal Trade Commission, are taking a hard look at the issue.<\/p>\n\n\n\n
In 2017, the FTC co-sponsored a national conference with the National Highway Traffic Safety Administration and asked NHTSA to define its role and responsibilities related to the privacy of data generated by and collected from vehicles.<\/p>\n\n\n\n
Currently, the issue is still largely undefined by law.<\/p>\n\n\n\n
Peder Magee, a senior attorney for the FTC\u2019s Bureau of Consumer Protection, said there is no law enforced by the bureau that specifically requires companies to delete or protect the privacy of consumers\u2019 personal information stored in a car\u2019s computer system.<\/p>\n\n\n\n
But that doesn\u2019t mean anything goes. Magee said the FTC can protect consumer privacy using the FTC Act\u2019s prohibitions against unfair or deceptive practices.<\/p>\n\n\n\n
\u201cIf a company makes a promise about how it protects a consumer\u2019s personal information and fails to abide by that promise, it could open itself to enforcement under the FTC Act,\u201d he explained.<\/p>\n\n\n\n
\u201cSimilarly, even without such a promise, a company that engages in acts or practices that are unfair could be subject to an enforcement action.\u201d<\/p>\n\n\n\n
Magee said an act is considered unfair under the FTC Act if it \u201ccauses or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits.\u201d<\/p>\n\n\n\n
Legislative wheels move slowly, so in the meantime private firms are stepping up to try to tackle the problem.<\/p>\n\n\n\n
This year, KAR Global \u2013 parent company of ADESA auctions and digital auction platform BacklotCars \u2013 launched a new training program for employees, symbolized by animated mascot Privacy Pam, to advance its commitment to data privacy in the digital age.<\/p>\n\n\n\n
\u201cAs the growing patchwork of government and customer requirements continues to evolve,\u201d KAR chief privacy officer Michelle Bray said, \u201cPrivacy Pam will help ensure every KAR employee around the globe is aligned, aware and mobilized around this priority.\u201d<\/p>\n\n\n\n
One group that\u2019s taking a proactive approach to personal information is the American Recovery Association, the world\u2019s largest organization of professional repossession agents.<\/p>\n\n\n\n
Executive director Les McCook said in-vehicle data security is a \u201csuper big issue\u201d for the industry.<\/p>\n\n\n\n
\u201cWhen you sell your car to a dealership or another person, or if it goes to auction, you\u2019re selling more than just your vehicle,\u201d he said. \u201cYou could be giving them personal information from your navigational unit, passwords to your garage door opener, your home address, personal photos, a list of your contacts and even banking information.\u201d<\/p>\n\n\n\n
To combat that problem, on June 1 ARA announced a partnership with Privacy4Cars. com, a technology company focused on \u201cidentifying and resolving data privacy issues across the automotive ecosystem.\u201d<\/p>\n\n\n\n
ARA members will have access to Privacy4Car\u2019s technology to help them delete personal data from repossessed vehicles, minimize member risk and differentiate themselves from competitors.<\/p>\n\n\n\n
McCook said ARA, along with \u201cother organizations like auction houses, dealerships and finance groups,\u201d believes Privacy4Cars founder and CEO Andrea Amico \u201cis at the forefront of this problem and has a firm grasp on how to solve it.\u201d<\/p>\n\n\n\n
Amico said he and his staff have been developing the Privacy4Cars technology for seven years.<\/p>\n\n\n\n
In 2014, he authored the first statistical study on how frequently data is left in rental and for-sale vehicles and the kinds of data found there.<\/p>\n\n\n\n
While completing that project, he realized how extremely common it was for drivers and occupants to leave \u2013 and unknowingly give others access to \u2013 highly detailed digital footprints of personal information in vehicles they no longer owned or controlled.<\/p>\n\n\n\n
Amico, a cybersecurity and vehicle privacy expert, designed his patent-pending process for deleting personal information from vehicles and launched his app in 2018. His company recently launched a new website that offers a variety of resources for businesses.<\/p>\n\n\n\n
Buying and selling used vehicles whose systems contain PII creates a number of important issues, but many dealers haven\u2019t thought about or don\u2019t understand the potential repercussions.<\/p>\n\n\n\n
If a consumer discovers his or her personal information has been shared or stolen from a vehicle sold to a dealership, that dealership could be threatened with a lawsuit \u2013 defending against which can be difficult and costly in terms of legal fees and potential fines.<\/p>\n\n\n\n
At the very least, the dealership could end up with a bad reputation through word of mouth, social media, online reviews or even being spotlighted in a television news segment.<\/p>\n\n\n\n
Remarketers and dealers reselling vehicles without first erasing consumer data captured in onboard computers and convenience systems can put themselves at risk of violating consumer protection laws, Amico said.<\/p>\n\n\n\n
\u201cDealers have to realize that whoever holds the title to a vehicle is responsible for any data security problems or breaches,\u201d Amico said.<\/p>\n\n\n\n
\u201cThey have to treat a vehicle like any electronic device, such as a smartphone or computer.<\/p>\n\n\n\n
\u201cOnce they face a lawsuit, the math quickly adds up, especially for independent dealers. It\u2019s just good data hygiene to eliminate the personal data.\u201d<\/p>\n\n\n\n
Because there is no federal law that specifically addresses data stored in vehicles \u2013 rather, the issue is covered by an assortment of laws from state to state \u2013 it isn\u2019t always clear who has responsibility for that data.<\/p>\n\n\n\n
But ignoring the issue is taking a risk.<\/p>\n\n\n\n
Steve Levine, an attorney and chief legal and compliance officer of Ignite Consulting Partners, said the responsibility falls on the dealership to wipe a used car clean of any personal data.<\/p>\n\n\n\n
\u201cThis problem has been on the auto market\u2019s radar for years,\u201d he said. \u201cAs cars continue to be more connected and more people carry smart devices, it will continue to be a bigger problem. And eventually, every car will be impacted.\u201d<\/p>\n\n\n\n
Levine likens the issue to a similar case years ago involving copy machines.<\/p>\n\n\n\n
Offices and businesses leased copy machines, and every time a copy was made, the image was stored in the machine.<\/p>\n\n\n\n
When the copy machine company picked up the old machine, it also carried away a lot of personal and corporate data stored on the machine \u2013 resulting in litigation.<\/p>\n\n\n\n
Levine said those suits can be based on state privacy laws or negligence claims. And, he added, \u201cPlaintiffs\u2019 lawyers will attempt to fit their claim under an unfair or deceptive acts and practices claim to try to get triple damages and attorney\u2019s fees.\u201d<\/p>\n\n\n\n
Levine said customers should be concerned when they sell or return a vehicle to a dealership.<\/p>\n\n\n\n
\u201cThey don\u2019t know where their vehicle will end up \u2013 on the dealer\u2019s lot, at auction\u2026 Who knows?\u201d he said. \u201cPlus, the majority of car owners have no idea how to wipe their data off of their vehicle.<\/p>\n\n\n\n
\u201cDealers have to take this onto themselves and do right by the customer. It deserves consideration by the dealership to put it into policy and develop a process to protect the customer.\u201d<\/p>\n\n\n\n
Some dealers are already doing that.<\/p>\n\n\n\n
One of them is Jeff Watson, owner of 4 Seasons Auto Sales in St. George, Utah. Two years ago, he added \u201cdepersonalization\u201d to his dealership\u2019s reconditioning process.<\/p>\n\n\n\n
Previously, his service team simply looked in the glove compartment and trunk for personal items and removed stickers and decals.<\/p>\n\n\n\n
Now the team resets the vehicle to its original factory settings and deletes any personal data, including addresses in navigation systems, phone numbers and even music lists.<\/p>\n\n\n\n
\u201cI learned about that from my NIADA Dealer 20 Group,\u201d Watson said. \u201cThen I tested it with my own car that I recently sold.<\/p>\n\n\n\n
\u201cWith the rise of ID theft, it\u2019s certainly something dealers need to keep on their radar. It\u2019s very easy to implement as a policy.\u201d<\/p>\n\n\n\n
As governments begin to address the issue of persistent data, they must answer one question: Who should be responsible for wiping a car clean of personal information before it\u2019s sold?<\/p>\n\n\n\n
Manufacturers? Dealerships? Auctions? Technology providers? Consumers?<\/p>\n\n\n\n
And should it be a federal issue or a state issue?<\/p>\n\n\n\n
\u201cI believe the onus should be on the automobile manufacturers,\u201d said Joel Kennedy, president of the National Automotive Finance Association, a trade association serving the non-prime auto financing industry.<\/p>\n\n\n\n
\u201cIf they make it easy for a consumer to populate the car with data, they should take responsibility for helping the consumer wipe the car clean of that data.\u201d<\/p>\n\n\n\n
Charles Henderson, a security expert and Global Managing Partner of the IBM Security X-Force, said automakers will likely do just that in the not-too-distant future.<\/p>\n\n\n\n
\u201cI expect the auto industry will improve mechanisms to clear out persistent data,\u201d he said. \u201cWhy should a third party have to fix the problem?\u201d<\/p>\n\n\n\n
For now, the data privacy challenge continues to grow. Newer connected vehicles that collect more data will be put on the road. Legacy vehicles will continue to change hands, and personal data will move to every new owner.<\/p>\n\n\n\n
Auto manufacturers will develop more connected technology that makes driving easier and safer \u2013 but captures more personal data.<\/p>\n\n\n\n
Amico suggested dealerships should look at this scenario as an opportunity to set themselves apart from competitors by wiping personal data from their cars \u2013 and promoting that fact.<\/p>\n\n\n\n
Smart dealers, he said, can get ahead of the curve and market that as a competitive advantage over other dealerships that don\u2019t offer the service.<\/p>\n\n\n\n
\u201cThis is a massive problem that hasn\u2019t been addressed,\u201d McCook said. \u201cAnd we\u2019re barely seeing the tip of the iceberg.<\/p>\n\n\n\n
\u201cIt won\u2019t be a cakewalk to solve it, either. Last year, we had 2 million repos in the U.S. That means 2 million opportunities for personal data to be lost. Who is going to step up to the plate?\u201d<\/p>\n\n\n\n
Here are some tips from industry experts on minimizing risk from persistent data:<\/p>\n\n\n\n