Let’s start with an inconvenient truth: You can do everything right inside your four walls — tight IT controls, trained employees, a Safeguards program that could hang in the Sistine Chapel of the Federal Trade Commission — and still find yourself explaining to customers why their data wound up on a dark-web garage sale.

Welcome to the dealership data ecosystem, where you’re only as strong as your least careful vendor.

Recently, we saw reports that 700Credit suffered a breach involving millions of consumer records. According to 700Credit, the attack vector was the API connection from a platform user. Whose fault it was almost doesn’t matter. When a vendor is compromised, your customers’ information may be, too. The law treats that as your problem.

Why a Vendor’s Breach Is Still Your Breach

Your dealership is considered a “financial institution” under the Gramm–Leach–Bliley Act. That means you’re responsible for protecting customer information — even the information you share with service providers.

Think of it this way: If you deposited funds in a bank and the bank became insolvent, you wouldn’t say, “Well, at least it wasn’t my money.” It was. Regulators feel the same way about your vendors.

First question: Was my data involved?

Don’t speculate. Don’t assume. Don’t panic. Ask.

You need to know:

• Whether your customers’ data was in the affected system

• The types of information exposed

• How many individuals this touches

• Which states they live in (States have strong opinions about breach notice.)

If your vendor cannot answer these questions quickly and confidently, that’s an answer in itself. 

Your Legal Obligations

If unencrypted information was accessed and 500 or more individuals are affected, you must notify the FTC within 30 days. It doesn’t matter whose server it lived on.

Every state has its own breach-notification statute. Almost all require:

• Notice to affected residents

• Notice to the state attorney general and/or consumer protection agency

• Notice “without unreasonable delay,” commonly defined as 30 to 60 days.

Vendors may offer to send consumer notices for you. This is fine, but your dealership remains legally responsible for ensuring it’s done correctly.

The Practical Playbook

Here’s the short version of the checklist no dealer ever wants to need but must be prepared to employ:

1. Activate your incident response plan: If you don’t have one, this is when you realize you should. The Safeguards Rule requires one, so if a breach event alerts you to its absence, you increase the likelihood of your dealership’s liability. So stop reading this article right now and confirm you have one. I'll wait.

2. Engage the vendor: You want facts, not spin. The data points discussed above are mandatory, not optional, and you need them as soon as possible for the next step.

3. Loop in counsel: The quickest way to turn a vendor’s breach into a dealership crisis is to wing it. Get your counsel involved as soon as you learn of the breach. While the breach itself may be the vendor’s fault, your dealership’s response is yours.

4. Map your notification requirements: Federal, state, FTC, and yes, sometimes credit bureaus. This is why the early involvement of counsel is so crucial — each party has its own deadline, and they are short.

5. Communicate with customers clearly: No jargon. No hedging. Just the truth and what you’re doing about it. Bad news never becomes good news with aging. Communicate early.

6. Offer protection services when sensitive data, like Social Security numbers, is involved: It’s not just good practice. Regulators expect it, and your reputation demands it. Customers will forgive a vendor breach, but they won’t forgive a sloppy (or worse, no) response.

7. Strengthen your vendor management: A vendor breach is a harsh teacher but a good one. After the dust settles, review your:

• Vendor contracts

• Due-diligence process

• Safeguards Rule program

• Incident response plan

If you’re treating vendor oversight as a perfunctory checkbox, a vendor data breach will correct that attitude in a hurry.

You can’t prevent every vendor breach, but you can control what happens next. Responding promptly, transparently and responsibly will earn something much harder to breach: customer trust. And the best time to earn that trust is before a breach occurs.

James Ganther is CEO of Mosaic Compliance Services.