• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

DMS Data Extraction Audit

tomwhitejr

Desk Monkey
Apr 14, 2009
58
36
Awards
4
First Name
Tom
So, this whole TrueCar mess has caused me to ask the question what and to whom are we sending our DMS data to... We were recently added as a Diamond Dealer Partner with Capital One and signed an agreement to allow them access to our DMS (so that they could calculate our non-captive finance penetration). I did this willfully and knowingly and am now having second thoughts.

Our DMS is the lifeblood of our business and I'm now concerned about what we are allowing vendors and finance companies access to. I've tasked our CFO to do an audit of our DMS data extraction to see just who we are sending our data to. Has anyone else done this recently? What did you find?

I have a feeling I'm not going to be super excited about what I find, but I'll keep you posted...
 
  • Like
Reactions: 1 person
And one final question - are the people signing dealer agreements and contracts actually a) authorized to do so on behalf of the company and b) familiar enough with contract law to be able to read and understand said agreements? My experience with most vendors is that they rarely check and see if the person signing the contract is legally able to do so... Forgetting the contractual requirements of those agreements, are there dealerships having people neither qualified nor authorized to sign these actually signing those docs and entering them into contractual relationships they wouldn't otherwise enter into?

As an example, a gung ho new Internet Manager gets sold a service from a new vendor and receives and then signs the documents allowing the vendor access to the DMS... Regardless of whether it was legal or not, the vendor suddenly has access to the dealer's data and the DP has no idea...

Am I just being paranoid, or is this an actual problem?
 
And one final question - are the people signing dealer agreements and contracts actually a) authorized to do so on behalf of the company and b) familiar enough with contract law to be able to read and understand said agreements? My experience with most vendors is that they rarely check and see if the person signing the contract is legally able to do so... Forgetting the contractual requirements of those agreements, are there dealerships having people neither qualified nor authorized to sign these actually signing those docs and entering them into contractual relationships they wouldn't otherwise enter into?

As an example, a gung ho new Internet Manager gets sold a service from a new vendor and receives and then signs the documents allowing the vendor access to the DMS... Regardless of whether it was legal or not, the vendor suddenly has access to the dealer's data and the DP has no idea...

Am I just being paranoid, or is this an actual problem?

Not sure, but from what I've seen it's possible for anyone to sign up a dealer agreement.. Even if it's not legit. I could even claim I'm an owner and they wouldn't check into it further.. BUT in order for it to hold up in court, the owner, principal, etc must sign the agreement him or herself. So If I signed up the company for a website for a 12 month contract and 6 months and became angry with the company, I could easy explain that the dealer principal or owners never signed it and get out every-time.

If that's the case, the provider should have checked to make sure the person signing the document was the principal or owner. And if it's stated he's not in his title, then it's a clear case. As far as things go aside from that, why would any dealership System Admin give anyone the login info to the DMS? There's absolutely no reason that should be given out unless the owners and principal are overseeing what's going on with their data. Another point, but I'm sure there are people who have this info and are signing up for things left and right with no idea to real harm..

Scott you are not paranoid, I'm exactly the same. I spent the day today and past few months, figuring out a way for out website provider to access the inventory portion only, and nothing else. Even though it's a reputable company, I wouldn't give my main DMS information to anyone for uncontrolled downloads and viewing access. I strongly believe that the DMS should not be accessed by anyone other than the owners. That's private data and it should remain private.. And a lot of companies are stealing it quietly, because let's face it most dealers aren't educated enough or don't have enough time to monitor things like that.
 
And one final question - are the people signing dealer agreements and contracts actually a) authorized to do so on behalf of the company and b) familiar enough with contract law to be able to read and understand said agreements? My experience with most vendors is that they rarely check and see if the person signing the contract is legally able to do so... Forgetting the contractual requirements of those agreements, are there dealerships having people neither qualified nor authorized to sign these actually signing those docs and entering them into contractual relationships they wouldn't otherwise enter into?

As an example, a gung ho new Internet Manager gets sold a service from a new vendor and receives and then signs the documents allowing the vendor access to the DMS... Regardless of whether it was legal or not, the vendor suddenly has access to the dealer's data and the DP has no idea...

Am I just being paranoid, or is this an actual problem?

1) Within reason, many states will bind corporations to agreements signed by unauthorized officers unless the lack of authority was really obvious.

2) At minimum, every Dealership should know and monitor who gets their data, how they get it (pull or push) and who it's being shared with. This usually starts with a Safeguards Agreement and having all access to data go through a single department or manager.

As a part of your audit...

a) Ask every recipient to provide you with copies of the agreements they have in place with the parties they receive your data from or transmit your data to.

b) Ask every recipient for dated logs with record counts for each extraction and transfer.

3) Follow the chain until it ends. Any company who can't or won't easily provide this info to you should NOT have access to your data at all.
 
Not sure, but from what I've seen it's possible for anyone to sign up a dealer agreement.. Even if it's not legit. I could even claim I'm an owner and they wouldn't check into it further.. BUT in order for it to hold up in court, the owner, principal, etc must sign the agreement him or herself. So If I signed up the company for a website for a 12 month contract and 6 months and became angry with the company, I could easy explain that the dealer principal or owners never signed it and get out every-time.

Wow. Just wow.