Auto Dealership Cybersecurity & Compliance Solutions

Car dealerships have quietly become one of the most attractive targets in the cybercriminal landscape, and the reasons are straightforward. A single dealership collects and stores an extraordinary volume of sensitive consumer information, from Social Security numbers and driver's license details to bank account data, credit applications, and complete financing records. Every customer who walks onto a lot and applies for an auto loan hands over enough personal data to enable identity theft, and dealerships aggregate thousands of these profiles across their sales, finance, and service departments. This concentration of nonpublic personal information, combined with security programs that have historically lagged behind those of traditional banks, makes the modern dealership a high-value and often under-defended prize.

Why Automotive Dealerships Face Growing Cyber Risk

The dealership technology environment has expanded dramatically over the past decade, and each new system introduces additional exposure. Dealer management systems, customer relationship management platforms, online credit application portals, F&I software, service scheduling tools, and connected vehicle technologies all touch sensitive data and communicate across networks that are frequently flat, loosely segmented, and administered by small or outsourced IT teams. Ransomware operators have taken notice, and attacks that lock down a dealer management system can halt sales, service, and parts operations across an entire rooftop or dealer group for days. The 2024 disruption that paralyzed dealerships nationwide when a major DMS provider was compromised demonstrated just how dependent the industry has become on a handful of interconnected platforms, and how quickly a single point of failure can cascade across hundreds of locations.

Robbie Harriman

Robbie Harriman, CISA, serves as a Virtual CISO at Compass IT Compliance, where he has become a trusted advisor to independent and franchise auto dealerships navigating an increasingly complex regulatory landscape. He brings deep, hands-on experience helping dealers meet FTC Safeguards Rule requirements, protect sensitive customer financial data, and build practical, budget-conscious security programs that fit the day-to-day realities of dealership operations. A frequent speaker on dealership cybersecurity, Robbie is known for making compliance approachable and translating technical risk into clear decisions that business owners can act on.

GLBA Compliance and the FTC Safeguards Rule for Dealerships

The regulatory picture has shifted just as sharply. Automotive dealerships are classified as financial institutions under the Gramm-Leach-Bliley Act (GLBA) because they regularly arrange financing and leasing for their customers. That classification places every dealership squarely under the amended FTC Safeguards Rule, which took full effect in June 2023 and carries specific, non-negotiable requirements. Dealers must designate a qualified individual to oversee their information security program, conduct written risk assessments, implement access controls and encryption, deploy multi-factor authentication, monitor and log activity, establish a written incident response plan, and provide security awareness training to staff. The FTC has made clear that it intends to enforce these provisions, and dealerships that treat compliance as a box-checking exercise rather than a functioning security program expose themselves to regulatory penalties, reputational damage, and the very breaches the rule was designed to prevent.

Compounding the challenge is the fact that many dealerships must also address the Payment Card Industry Data Security Standard (PCI DSS) when they accept credit card payments for vehicles, service, and parts, along with a patchwork of state-level data privacy and breach notification laws that continue to expand. For dealer groups operating across multiple states, this means reconciling overlapping obligations while maintaining consistent controls across every rooftop. Compliance can no longer be handled reactively at the individual store level; it demands a coordinated, program-driven approach that accounts for third-party vendors, DMS integrations, and the flow of customer data across sales, finance, and service.

Village Auto Group

 

iStock-2254971746 (1)

 

  

"Working with the OCD Tech/Compass team has been a genuinely positive experience from start to finish. They understand the unique compliance and security challenges dealerships face, from protecting customer financial data to meeting FTC Safeguards requirements, and they translate all of it into clear, practical guidance. Every engagement felt like a true partnership rather than a transaction, and they were always responsive when we had questions. I wouldn't hesitate to recommend them to any dealership looking for a knowledgeable and reliable security partner."

Chief Information Officer

Village Automotive Group

How Compass IT Compliance Supports Automotive Dealerships

As dealerships work to satisfy the FTC Safeguards Rule while defending against an increasingly aggressive threat landscape, the demand for practical, dealer-specific security expertise has never been higher. Building and maintaining a written information security program, keeping pace with evolving regulatory expectations, and hardening systems against ransomware and data theft requires specialized knowledge that most dealership IT staff were never hired to provide. Compass IT Compliance helps dealerships and dealer groups close that gap, translating regulatory requirements into functioning controls and giving management the confidence that customer data is protected and examiner expectations are met.

Ready to Get Started?

Learn More About Our Automotive Dealership Solutions

Compass IT Compliance employs a team of highly experienced and certified IT auditors and security specialists who understand both the technical realities of the dealership environment and the regulatory frameworks that govern it. From single-location stores to large multi-state dealer groups, we help automotive retailers assess their risk, build compliant security programs, and defend the sensitive consumer data at the heart of their business. Contact us online today to learn more about how our services can support your dealership.