Dealer Software Companies Sue Arizona Over Data Privacy Legislation

In the increasingly complex effort to keep consumer data safe, industry interests are beginning to chafe at restrictions piling up by state and federal authorities. While dealerships are being urged to review their data security practices, the companies that store and disseminate their customer data are also coming under increased scrutiny. Now, two dealer software solutions providers — CDK Global LLC and The Reynolds and Reynolds Co. – are suing the State of Arizona alleging that a new element of the state’s portfolio of cybersecurity laws will harm their businesses and unintentionally put consumer data at risk.

Arizona House Bill 2418 (known as the “DMS Law”), was passed unanimously earlier this year. Intended as a cybersecurity bill, it enables dealer to become the gatekeepers of all consumer information contained within the dealer management system, allowing them to control what information gets shared with third parties.

“I am really proud we’re doing this because what we’re saying is what we mean,” said Bobbi Sparrow, president of the Arizona Auto Dealership Association, which authored the bill. “When you come to our dealership, you give us that information. This is not for an open source.”

Software companies are crying foul, since the law will mean turning more information than they are comfortable with about their platforms over to dealerships. CDK Global and Reynolds and Reynolds are alleging in court filings that the law interferes with their contract rights and intellectual property, potentially putting highly confidential customer information at risk.

“Plaintiffs provide proprietary computer systems to automotive dealers,” according to the filing. The DMS Law purports to require Plaintiffs to give third parties unfettered access to and use of Plaintiffs’ DMSs, and the sensitive customer data they store, manage, and protect, without Plaintiffs’ authorization.”

The fate of the lawsuit is unknown, but it has backing from cybersecurity experts. At the time Arizona House Bill 2418 was being deliberated, there was doubt expressed that dealers are in a better position to safeguard proprietary information than software developers. Cybersecurity consultants and privacy advocates are not so sure the bill will provide the safeguards its supporters expect. Currently, the creators of the DMS system are responsible for its security, and it’s generally believed they are in a better position to do so from a technology and training standpoint.

Privacy attorney K Royal, with the Sandra Day O’Connor College of Law at ASU, told local news source ABC 15 that introduction of a third party can have the consequence of bypassing whatever security measures are already in place.

“[It] basically forces a third party that they creators don’t want in their system. It’s basically blown whatever security they put in place,” she said.