States should not rush to pass laws affecting auto dealer and auto consumer data

Right now, there is a fight going on at the state level between “Dealer Management Systems” companies and auto dealers. DMS companies secure car manufacturer data, as well consumer data (some of it sensitive) for car dealers and enter into legally binding contractual arrangements with those dealers. A number of states, actively encouraged by dealers, are proposing legislation that would allow third party “authorized integrator companies” access to DMS systems without permission from the DMS company.

These integrator companies integrate different databases and computer systems for the dealers, but they do not make the upfront investments in data gathering and curation that the DMS providers undertake.  Most relevantly in this context, the proposed state laws in effect appear to give these firms permission to hack into proprietary systems.

So, what is a Dealer Management System?  And why is there sometimes a conflict between DMS providers and dealers?

A DMS system is a platform that integrates all the data car dealerships need in order to function – like accounting, spare parts inventory, price trends, marketing, website management, customer data, payment information. The list is practically endless. With the Internet of Things, connected cars, automated vehicles, the need for state of the art DMS systems will likely grow exponentially.

Many dealers, who are perhaps more interested in the business of persuading people to buy cars, not in IT systems, are frustrated with the expense and the complications associated with running what are, in effect, growing data centers. They may associate those centers with “cost centers,” rather than revenue generators, which perhaps explains some of the tension between DMS providers and car dealers. One way for dealers to reduce costs is to shift more work to the authorized data integrators.

This is a fascinating case study because it involves many of the facets of today’s technology policy debate: competition, proprietary data, privacy, intellectual property, cybersecurity, and more. But, this is not just interesting from a political economy perspective.  There are enough concerns about the proposed state bills to suggest that states should slow down and understand the cybersecurity, privacy, and possible conflict of law implications of these bills. Our view is that the bills could conflict with rights and duties established by federal statutes and are, from a cybersecurity view, likely harmful public policy.

Competition is a separate issue requiring consideration of competition remedies if appropriate

The two largest DMS companies are CDK Global Inc. and Reynolds & Reynolds, which together control about 70% of the U.S. market. This helps explain the sometimes-tense relationship between DMS firms and auto dealers. And, in fact, a number of car dealers filed an antitrust case against CDK Global Inc. and Reynolds & Reynolds. Reynolds & Reynolds announced on October 3, 2018 an agreement in principle to settle a federal class-action antitrust lawsuit. The agreement does not include CDK Global Inc. It also does not include non-dealership plaintiffs including competitors such as Cox Automotive, Authenticom, Motor Vehicle Software Corporation, and Autoloop.

But the bottom line is that the competition element of this fight continues to be litigated in court. And while dealers continue to complain about the competition environment, James B. Treece wrote in an April 30, 2018 piece called “DMS vendors enter a new era of competition” that competitors are now not just competing on price. They are offering fundamentally different business models as well, which at least suggests that the competitive environment is changing without legislation.

But whatever happens with respect to the lawsuits and this market, if regulators find a breach of antitrust law, then they should impose competition remedies. It just does not make sense for the states to pass laws that allow entry into protected computer systems to solve what some observers perceive to be a competition problem.

State laws propose laws allowing ‘authorized integrators’ access to DMS company databases without those firms’ permission

Arizona 2418-541R- H Ver, Oregon House Bill 3152, North Carolina General Assembly House Bill DRH 40206 MW- 61 T , and Montana House Bill No 617, ban DMS companies from preventing access by third party authorized integrators to the databases maintained by the DMS dealers. There is also a ban on what the authorized integrators can do with data, some of which is personal consumer information. There are many legal and public policy issues associated with these bills. How is personal data protected by an authorized integrator?  What data could an authorized integrator share and/or sell?  Any maybe most importantly, how can high cybersecurity standards be maintained if third-party authorized integrators are, in effect, given the right by state legislatures to hack into DMS systems?

Contrary opinions against these proposed state laws

On March 29, 2019, K Royal wrote about the proposed Arizona law in a piece entitled “Arizona legislators propose opening secure networks to hackers” and said this:  “HB 2418 is about auto dealers giving third parties, consultants and business associates, free access into otherwise secure computer networks – with no meaningful limitations on what these people can do with our data. That’s frightening as some of these “consultants” have been sued for hacking corporate networks.”

Chris Apgar wrote on April 8, 2019 an opinion piece entitled “Opinion: Bill would give auto dealers too much control over customers’ information.”  Apgar said:  “A lay person might read House Bill 3152 as authorizing standard information-sharing arrangements between auto manufacturers, dealers and the companies that build specialized computer systems for the industry. Nothing could be further from the truth. Instead, this bill would require very secure and highly-regulated computer networks to become less secure – so much less secure that millions of Oregonians’ Social Security and credit card numbers would be at a greater risk of being stolen.”

Although the April 8, 2019 testimony by Reynolds & Reynolds representative, Jonathan Emmanual, might be considered biased, it is worthwhile reading, in part because Emmanual notes that the Oregon bill has no restrictions on what authorized integrators can do with the data. In fact, they can even sell personal data if they wish.

Cybersecurity concerns, possible state and federal privacy legislation, and possible conflict with federal law should prompt state lawmakers to slow down

The Arizona, Oregon, North Carolina, and Montana bills raise a number of challenging issues. Each state has its own computer security laws, as does the federal government.

First, Section 1030 of title 18 is the federal anti-hacking statute. Among other things, it protects every computer involved in interstate commerce (e.g., every computer) from a person who either accesses that computer without access or exceeds authorized access. Congress’s intent on how this statute is said to apply seems fairly clear: it’s a broad protection for the public. Whether “unauthorized access” or “exceeding unauthorized access” can be determined by reference to state laws (especially contract) is an unsettled question, especially in the presence of non-authorization by the hacked business. Granting anyone carte-blanche entry into another person’s computer systems under the guise of “you have our data” should be an area of enormous policy concern and careful examination. These bills appear to be missing that component.

Second, even assuming that state law has some role to play in this, requiring access to a cloud service of any kind implicates more than the data that the dealer allegedly owns. In addition to using the cloud services’ servers (their personal property) these services run on software, which is federally protected intellectual property. Attempts by states to regulate those rights are routinely preempted. For example, attempts by states to restrict first-run motion pictures and require licensing in expanded distribution areas have been preempted by federal statutes.

These bills have similarities, in that they prohibit certain provisions of software licenses that would restrict the IP owner’s federally granted exclusive rights. In addition, federal IP laws prevent circumventing technological protection measures that control access to copyrighted works. Civil (and criminal) liability for those acts would still exist.

Third, on the privacy front, open questions remain about whether the car dealer’s use of this information would violate consumer expectations of what happens to their data. A federal privacy law is now a serious possibility, and California has already passed a comprehensive privacy law, which will enter into effect in 2020. The use of that information by dealers in a way that is consistent with reasonable consumer expectations of what is (and is not) being done with their information is also something that should be studied before passing these kind of laws.

The bottom line: don’t rush

The states should tread carefully in this era of changing views on competition, privacy, and the emphasis on high cybersecurity standards. From a public policy standpoint, the cybersecurity implications of these state laws cannot be stressed enough. For example, at least one DMS company, CDK Global Inc., has been designated as Critical National Infrastructure.

Surely this suggests that the states should proceed  very carefully. It is true that some of the proposed legislation makes an effort to ensure that authorized integrators comply with cybersecurity standards. For instance, the Arizona bill says that third party vendors have to comply with the “STAR standards or other generally accepted cybersecurity standards that are at least as comprehensive as the STAR standards.”

But this is a vague standard. It seems reasonable for state legislatures to allow for more time to permit professionals to assess the cybersecurity implications of uncontrolled access to DMS systems, as well as the legal considerations.