As we mentioned in our blog of last August, under the authority granted to the Trump Administration under Section 232 of the Trade Expansion Act, the Commerce Department found that U.S. imports of automobiles and certain auto parts threatened the national security by affecting the global competitiveness of American Companies and undermining their ability to perform the research and development that leads to our military superiority. Under the Act, a deadline of November 13, 2019 was set for the determination of whether to impose a 25% tariff on the import of those automobiles and parts from the European Union (EU). Because the deadline ran out without action, it was widely assumed that the Trump Administration had simply dropped the tariff threat. Last month, however, it became clear that the threat of the tariffs remains very much alive. During January’s World Economic Forum in Davos, Switzerland, President Trump renewed his stance to carry through with 25% tariffs if he is unable to strike a trade agreement with the EU that he believes to be fair to the United States. While the President did not set a specific new deadline for such a deal to be reached, he stated that European officials “know what the deadline is.”

According to studies undertaken by the Center for Automotive Research, the proposed 25% tariff could add up to $6,875 to foreign-manufactured vehicles, and would push up prices in the overall market by an average of $4,400 per car. Several economists have expressed the concern that this significant rise in car prices will suppress sales and push buyers with modest incomes out of the new car market. For their part, Europeans, particularly the Germans, have indicated that they will retaliate in the event that the Trump Administration imposes such sanctions.

Complicating matters, if tariffs are, in fact, imposed, there exists a technical legal issue that would likely end up in the courts. Tariff opponents argue that Section 232 of the Trade Expansion Act required that the Administration act by the November 13 deadline (i.e., within 270 days from the date the Commerce report under Section 232 was delivered to the White House last February). Nevertheless, even if such a challenge were to succeed, it would likely only delay matters. The White House has other options at its disposal, such as the use of the International Emergency Economic Powers Act, which gives the President broad authority to respond to an “unusual and extraordinary threat” to our economy or national security. Given the broad interpretation of this authority, together with the courts’ reluctance to take up challenges to the Executive branch’s power in foreign affairs, it would appear that the ultimate outcome of any challenge would favor the White House.

The automotive industry, which almost universally opposes the tariffs, will have to continue in a state of limbo for now.

It seems that the signs are everywhere for the single point dealership owner.  Shrinking margins and looming industry disruptions from car-sharing and direct-from-the-manufacturer electric vehicles, among other factors, are leading more dealers with one, or even a few, dealerships to decide not to continue on with their current model, leaving them with the prospect of either selling to a larger operation, or expanding their operation through the acquisition of additional points and line makes.

The sale of an automobile dealership for many, if not most dealers is a transaction that they only experience once.  Dealers on the buying side can also be faced with a transaction process that they have never been through before.  This series will provide an overview of the process to give you some idea of what you can expect in a buy/sell transaction.

Buy/sell transactions can be divided into six general phases.  The first phase occurs before a buyer and seller make contact, when the parties are evaluating the possibility of buying or selling a dealership.  During this time the buyer is making the decision to expand their operations and determining what size or type of dealership they would like to acquire, or what opportunities they hope to find.  A seller is making the determination that they will sell, preparing the dealership for sale, generating a financial profile of the business and determining what they believe their business is worth.  Developing realistic expectations on both sides of a transaction during this phase can make the rest of the process much easier, though it can be hard for dealers new to the process to know what to expect.

The second phase of the transaction begins when a potential buyer and a potential seller initially make contact.  At this stage of the process, the seller and buyer usually enter into a confidentiality agreement, which will protect both of them as they move through the process.  A confidentiality agreement will limit the potential buyer’s use of any information it obtains about the selling dealership, and will restrict the potential buyer from discussing the fact that the dealership may be for sale with any third parties.  While some business information will be shared between buyer and seller at the outset, a seller should be mindful that, without a confidentiality agreement in place, the buyer has broad discretion in its use of any volunteered information.  The buyer might want the confidentiality agreement to contain a “no shop” provision, which would lock in the potential buyer’s exclusive right to negotiate a deal with the seller for a period of time, usually 30 to 90 days.

During this 30 to 90 day period the potential buyer will evaluate the condition of the dealership and its financial performance, in order to determine how much they are willing to pay.  A well-prepared seller will have gone through this exercise themselves and will have a realistic expectation of what a buyer should be willing to pay for their operation and the ability to support that valuation to the buyer.

In addition to the all-important question of the value of the dealership, other items to be negotiated usually include: (i) whether the transaction will be a sale of assets or a sale of the ownership interest in the entity that owns the dealership; (ii) whether the real estate on which the dealership operates will be sold as part of the transaction or leased by the buyer; (iii) whether there will be any written employment or consulting agreements involved; and (iv) whether the buyer will expect the seller to execute a non-compete agreement.  Once the basic outline of the transaction is agreed upon the parties will need to determine if they formalize them in a letter of intent or whether they will just proceed to negotiating a definitive purchase agreement.  A letter of intent will generally set forth the basic terms, including whether it is an asset or stock transaction, basic price terms (including the method for valuing inventories), how real estate will be handled, and any other items that have been specifically agreed to.  The next part in this series will address the negotiation of the definitive purchase agreement.

For decades, federal wage and hour regulations have required that non-discretionary bonuses paid to employees be included in the recipients’ “regular rate” for purposes of calculating their overtime premiums.  In other words, if an employee earns a base rate of $10/hour and also earns a non-discretionary weekly productivity bonus in the amount of $50 during a week in which he works 50 hours, his regular rate for the week will jump to $11/hour.  For the ten overtime hours he worked during the week, his ½ time overtime premium must be calculated based on the inflated regular rate, not his lower base rate.  So, his total earnings in the example above would equate to [50 hours x $10/hour = $500] + [10 x ½ x $11.00] = $555.00.

Many employers overlook this basic requirement in the U.S. Department of Labor’s (“DOL”) regulations governing overtime compensation – and the law on this issue just got a little bit trickier.  In Secretary of Labor v. Bristol Excavating, Inc., Talisman Energy Inc. offered a variety of bonuses to all workers at its drilling sites, including employees of its contractors.  Employees of Bristol Excavating, a contractor on a Talisman job site, inquired with their employer whether they could qualify for the Talisman bonuses.  Bristol, in turn, posed this question to Talisman, and Talisman agreed to extend their bonus programs to Bristol’s employees – including bonuses for safety, efficiency and a “Pacesetter” bonus.  Bristol and Talisman did not enter a formal agreement regarding this arrangement, but Bristol did undertake the clerical work to administer the bonus programs as they applied to its employees (e.g. determining eligibility, invoicing Talisman and distributing Talisman’s bonus payments).

During a routine compliance audit, a DOL auditor determined that the Talisman bonuses paid to Bristol’s employees must be added to each recipient’s regular rate of pay for purposes of calculating his or her overtime premiums.  Bristol disagreed, and the matter proceeded to federal court.

The U.S. Court of Appeals for the Third Circuit rejected the DOL’s position that all payments to employees for their services, regardless of their source, must be included in the regular rate of pay unless specifically exempted.  Instead, the Third Circuit reasoned that whether a payment qualifies as remuneration for employment “depends on the employer’s and employee’s agreement.”  The Court identified a number of factors to be considered in determining whether third-party bonuses should be considered remuneration for employment, including: (a) whether the specific requirements for receiving the payments are known by the employees in advance of performing the work; (b) whether the payment itself is for a reasonably specific amount; and (c) whether the employer’s facilitation of the payment is significantly more than serving as a pass through vehicle.  If those factors exist, a court should then consider whether the employer and its employees “have adopted the third-party incentive bonuses as part of their employment agreement.”

In applying this analysis to the Talisman payments, the Third Circuit concluded that the $25 daily safety bonuses paid by Talisman to Bristol’s employees were, in fact, remuneration for employment since “Bristol’s facilitation of the program went significantly beyond merely acting as a pass-through.”  On the other hand, the Court found that the evidence of record was insufficient to conclude that Talisman’s Pacesetter and efficiency bonuses were remuneration subject to the DOL’s overtime rules.  For this reason, the Third Circuit remanded the case for further proceedings on this issue.

Although the Bristol Excavating decision was not a complete victory for the DOL, it does highlight a basic point that many employers are likely to overlook: bonuses and other payments made by third parties to your employees may affect how you must calculate their overtime premiums.  If your employees may receive payments from third parties for their services, it is important to determine whether those payments should be included in their regular rate for overtime purposes.

An ever growing number of U.S. economists have forecasted an economic downturn in the coming year.  With vehicle sales creeping down for 2019, many dealers are starting to feel the bind.  Economists and accountants are predicting mergers and acquisitions activity (“buy/sells”) to remain slow through year end and into 2020.  While periods of financial turmoil are particularly difficult in industries providing durable and luxury goods, adding on to the thin margins seen by auto dealers in recent years and a recession could prove disastrous.

Auto sales and M&A activity both slow down before a recession for the same reasons: first, out of the buyer’s uncertainty about incurring the expense of the acquisition before hard times; and second, in the expectation that a better deal is to be had when times get tough for the seller.  The question becomes, why pay $6 million in blue sky today, when that dealership may be distressed in six months and sell for $2.5 million in blue?  Economic downturns provide unique investment opportunities for companies positioned to weather the storm.  Buying a new dealership during economic downturns, however, presents particular risks and concerns that are often not present in the usual deal process.

First, take sufficient time in the letter of intent phase (and definitive agreement) to consider what events should allow the parties to walk away from the deal.  Buyers generally want to get a deal signed as soon as possible because manufacturer and governmental approvals can only be sought once the deal is signed.  Despite this, without adequate thought given to termination provisions in your agreements, a buyer could end up buying a dealership which has seen goodwill deteriorate sharply over the last 3 months, without a corresponding adjustment to purchase price.  The buyer will want to make sure that, should the recession worsen, they are not stuck doing a deal at a rate that is out of sync with the actual underlying value of the dealership.  For example, termination rights may include a right for the buyer to exit the agreement in the event of sales dropping off by some certain percentage.  Relatedly, a seller may want the ability to exit the deal if its prospects improve substantially (though this is probably better addressed through pricing, discussed below).

For buyers who know they want a foothold in the seller’s market, regardless of the health of the seller, these concerns can partially be managed through pricing mechanisms.  Instead of agreeing to a fixed goodwill number today, agree on the formula used to come up with that number.  That way, the passage of time is less likely to leave the buyer upside down at the closing table.  Using a formula, instead of fixed numbers at signing, can also be helpful to the seller by giving them the full value of the business at closing, not just the value that was determined a few months prior when the deal was signed.

Alternatively, an earnout may be an worthwhile option to consider. Earnouts are payments made to a seller following the closing.  These payments are tied to a business metric, often EBITDA, and allow the seller to get the benefit of a strongly performing dealership in a case where the buyer is skeptical of performance.  Buyer’s also like earnouts because it lets them pay added purchase price out of actual performance post-closing.  Earnouts are fraught with their own risks, but they work best when the outgoing dealer is staying on in the dealership post-closing (at least through the earnout period).

Next, while its not common in automotive deals, break-up fees should be considered when market downturns are on the horizon.  A break-up fee is a payment by one party to the other when a deal falls through to cover costs of conducting due diligence and other transaction costs.  In this context, it would most likely be sellers seeking break-up fees from buyers, if the buyer exits a deal due to general economic concerns.

Finally, a key part of almost every transaction is the decision on whether to lease or purchase the real estate.  When buying a dealership that is under performing in a weak market, it may be more beneficial to a buyer to sign under a long term lease with an option to purchase.  Rental values can be negotiated in advance, as can forms of purchase agreements on the exercise of the option, to avoid any future seller disruption of the buyer’s option exercise.  Conversely from the seller’s perspective, dealerships are special use properties.  This means they are specifically designed for a particular use, i.e., selling and servicing motor vehicles.  Thus, if a tenant does not renew the lease, the owner may experience significant difficulties selling or leasing the dealerships to another party.

These are just a few of the specific provisions that are particularly important when negotiating a buy/sell transaction during an economic downturn.  Just as the financial decision to enter into a sale transaction requires extra thought in bad economic times, so do the legal documents underlying that transaction.

Under a recent Eastern District Court ruling, Pennsylvania debt collectors must be licensed by the Department of Banking and Securities in order to collect on deficiency judgments from retail installment sales contracts or face violations of the Fair Debt Collection Practices Act.

In the decision from Judge Kearney in the Eastern District of Pennsylvania, Wyche v. Tsarouhis, 385 F. Supp. 3d 392 (E.D. Pa. May 14, 2019), a debt collector who purchases a deficiency judgment on motor vehicle installment sales contracts must be licensed under the Pennsylvania Consumer Credit Code at the time they acquire the debt in order to avoid a violation of the Fair Debt Collection Practices Act (“FDCPA”) for misleading conduct.

The plaintiff consumer in this case admitted to owing the deficiency balance for the repossessed vehicle. However, the consumer asserted that the collection agency was not authorized to collect on the debt as an entity not properly licensed under the Pennsylvania Consumer Credit Code.

The debt collector argued that, because the consumer defaulted on the retail installment sales contract and the original holder obtained a deficiency judgment before the collection agency acquired the debt, the agency did not acquire an installment sales contract under the Credit Code. The Court rejected this argument, reasoning that the consumer should be entitled to the same protection now than it would be under the original holder of the obligation, especially since the collection agency relies on the terms of the original installment sales contract to collect portions of the deficiency judgment such as attorneys’ fees.  The Court, therefore, found the collection agency acquired an installment sales contract and was required to be licensed at the time it was acquired.

The Court’s analysis did not end there. If the debt collector was not licensed, the obligation was unenforceable under the Pennsylvania Consumer Credit Code. When the debt collector attempted to collect the unenforceable obligation, it violated the Fair Debt Collections Practices Act by misleading the borrower as to the collector’s authority to collect the obligation.

The Wyche decision could lead to a whole slew of uncollectable debts or FDCPA violations by unlicensed agencies who have already acquired deficiency judgments. If the entity was not licensed at the time that the obligation was acquired, the collector does not have the right to collect the debt. Dealers and financial institutions can also expect to have difficult conversations with collection agencies about the enforceability of debts they acquired.

A recent client meeting (with experienced accounting and financial professionals as well as legal advisors) ended with the participants trading stories of attempted fraud, phishing or hacking attempts foisted on our clients, employees, colleagues and family members.  Each of us present had multiple stories.  These threats keep us up at night as much as (or more than) the substance of our professions such as tax legislation, financial market instability, trade threats and the like.

Damages from successful fraud schemes result in everything from the annoying and costly (lost productivity) to the catastrophic (substantial monetary loss or data theft).  While not specifically related to estate planning or our auto dealer practice, I thought I’d share a few common scenarios (just a drop in the bucket of the many, many variants of criminal creativity):

  • Call from a Government Agency. These calls follow short, tight scripts with a (usually) recorded warning from the “IRS,” “Social Security,” or “Medicare” about a tax delinquency, fraud affecting your social security number, or an offer for a free DNA testing kit.  It’s important to remember that the real agencies never communicate in this fashion.
  • The Grandchild in Trouble. In this scenario, a grandparent gets a call from his “grandchild” who has been arrested, often while traveling abroad.  The scammers perfectly calibrate their communication to reel in the sympathetic relative and get him to send money to the scammers.  If you think no one would fall for this, consider that the loss from family/friend imposter scams totaled $41 million between November 2017 and October 2018!
  • Phishing. Email with attached files from a work colleague, friend or family member.  The masked email address seems real enough to entice the recipient to click on the attachment.  Once that’s done, the hacker and/or a virus is potentially in your system.
  • Wire Transfers. This is a massive area of fraud in which a change of wire instructions just before closing on a transaction results in a transfer of funds to criminal third parties.

Given the ubiquity of these threats, it’s likely that you have heard of each of these in some form.  Usually we know to just hang up, delete the email and move on.  Particularly for older relatives, friends and colleagues however, they may be novel and therefore effective.  Hopefully, sharing the existence of these threats makes them less potent.  Abundant additional information and resources are available through the Federal Trade Commission, AARP, Consumer Finance Protection Bureau, and the FBI.

The Trump Administration initiated an investigation on automobile imports in May of 2018.  The Department of Commerce, which undertook the investigation, submitted its report to the President in February of 2019, but the Administration has not made it public.  Nevertheless, on May 17, 2019, President Trump announced his determination that U.S. imports of automobiles and certain auto parts threatened the national security.  More specifically, the President concluded that these imports affect American companies’ global competitiveness and their ability to undertake research and development on which U.S. military superiority depends.  These determinations, made under Section 232 of the Trade Expansion Act of 1962, give the President the broad authority to respond to these national security concerns, including the ability to unilaterally impose tariffs on the subject goods.   As a result, President Trump has threatened such tariffs on a number of occasions.

It seems that this threat of tariffs, at least for the moment, is being used as leverage in an effort for the U.S. Trade Representative (USTR) to reach favorable agreements with Japan and the European Union.  The Administration’s broad agenda, as reported by the Congressional Research Service, is intended to expand domestic automobile manufacturing, address bilateral trade deficits, and reduce disparities in tariff rates between U.S. and its trading partners.  (Presumably, countering the potential national security threat is also on the list.)  Notably, the U.S. tariffs for passenger cars is 2.5%, while the E.U. tariffs on U.S. passenger cars is at 10%.  Reports are that the Administration is considering tariffs of up to 25-30% on imported vehicles and parts, excluding those from Canada, Mexico and South Korea, all of which have separate trade agreements with the United States.

The automobile industry, including the NADA, is universally opposed to the potential tariffs.  Most studies indicate that auto tariffs could have significant negative effects on not just the auto industry but the U.S. economy generally.  For the moment, President Trump has put the tariff decision on hold until at least November while the USTR undertakes negotiations.  Accordingly, the industry will be holding its breath until then.

In 2015, Sergio Marchionne publicly made a case for mergers among automotive manufacturers.  The need for intensive amounts of capital for research and development was one of the key factors he cited for support.  Since 2015, the importance of research and development has remained, if not grown, as all vehicle manufacturers are looking towards the eventual electrification of virtually all their fleets.  Estimates for the cost of research, development and implementation of electrification have risen fourfold over the last five years to over 300 billion dollars.

Recent on-again and off-again talks between Renault and Fiat Chrysler have reignited the discussion of the need for mergers of vehicle manufacturers.  While it is yet to be seen whether any merger between Renault and Fiat Chrysler will be negotiated (which would of course also involve Nissan and Mitsubishi), it is clear that the international automotive industry is in a state of consolidation.  It is worth noting that automotive manufacturers are not the only players in the industry considering or discussing merger opportunities, but their suppliers are as well.

However, nothing in the discussions between Renault and Fiat Chrysler should surprise anyone who follows the industry.  Since 1998, the list of mergers (both successful and failed) is fairly long:

Year Manufacturers Deal Value
1998 Daimler/Chrysler $43.1 billion
1999 Ford/Volvo Cars $6.5 billion
2001 Renault/Nissan $1.8 billion
2009 Geely Volvo $1.8 billion
2011 Volkswagen/MAN $7.4 billion
2014 Fiat/Chrysler $3.7 billion
2014 Volkswagen/Scania $9.2 billion
2016 Nissan/Mitsubishi $2.2 billion
2017 PSA/Opal and Vauxhall $2.2 billion

In addition to the above mergers or alliances, other automotive manufacturers are also working in global alliances on joint products.  The list of joint ventures includes Volkswagen and Ford, as well as Toyota and Suzuki.  Multiple industry observers are of the mind that there will continue to be mergers, joint ventures and alliances throughout the industry.  These consolidations are driven by a number of factors, the principal of which continues to be the need for cost-sharing concerning expenses related to the electrification of vehicles.  For instance, Volkswagen expects to spend $50 billion on the transition to electric vehicles while Daimler, which is a quarter of Volkswagen’s size, has indicated it will spend over $20 billion towards electrification.

The interesting question is whether consumers will see any tangible changes as a result of the consolidation of the automotive industry.  Certainly, vehicle platforms and technology will be shared among merger partners.  However, as has been demonstrated time and time again, local tastes and preferences will continue to have a huge effect on the delivery of vehicles to particular regions of the world.  Additionally, there are always the potential for culture clashes within merged companies which can lead to their failure.  Finally, many manufacturers are substantially owned by nation states or are significantly supported by national governments.  This ownership will, of course, lead to impediments to mergers, be they in the form of guarantees  requested for job security or other demands.  There are some reports that the interference of the French government in the Renault/Fiat Chrysler discussions are what caused them to break off previously.

With merger activity continuing and new tech companies enter the vehicle world, it will be interesting to watch the industry and see what of the existing automotive manufacturers survive and thrive over the next five to ten years.  Of course, the bigger interest will be what vehicles we are driving.

If you have serviced a customer’s vehicle and have not been paid, you may have a lien. This type of lien is created by law and is properly called a garageman or repairman’s lien (often mistakenly called a mechanic’s lien).   If you have done the following regarding the repair performed, you should have a garageman/repairman’s lien:

  1. Secured consent of the owner to perform work on the vehicle – it will be best if this consent is in writing;
  2. Performed the work;
  3. Remain in possession of the vehicle, remain in possession of the vehicle – to be clear – remain in possession of the vehicle; and
  4. Have not been paid.

All four criteria are required. Note that if you release the vehicle from your possession, your lien goes with it.

What this lien gives you is a priority. This means that if another party has a lien on the vehicle, even if it is the secured lender who financed the purchase, your garageman/repairman’s lien is ahead of that lien, meaning you get paid first. So, do not even release the vehicle to another lienholder trying to repossess the vehicle, unless that lienholder pays you what you are owed (and they will often do that).

To actually get paid for the services, you will need to take some additional affirmative steps. First, we recommend that a lien search be conducted on the vehicle. If you find that there is a recorded lienholder on the title, the first best step may be to contact the lienholder in writing and advise them of the debt you are owed and to notify them that you have a garageman/repairman’s lien, which is superior to their lien. This may result in the lienholder paying the debt you are owed or placing additional pressure on the vehicle owner to pay the debt.

If contact with the lienholder does not get you paid, your next best step is to file a civil complaint for breach of contract and unjust enrichment, and seek damages for the amount owed. For amounts up to $12,000, this can be done at the Magisterial District Court. For amounts larger than $12,000, you will need to file in County Court of Common Pleas. Remember, you are entitled to payment for valid storage fees and for your court filing fees and costs. If you are successful and secure a judgment for money damages, you will then proceed to have the judgment executed, meaning that the vehicle will be sold and you will get paid first (after the sheriff’s office) from the proceeds of the sale. If the vehicle sells for less than what you are owed, you will also have the option to pursue other assets of the customer to receive full payment. Note that a business entity is required to use an attorney for anything filed in the County Court of Common Pleas, which will be for amounts in excess of $12,000 and to execute on any judgment. Unless you have a contract with the customer that entitles you to attorney’s fees (and we rarely see that in the repair world), you will not be entitled for reimbursement for your attorney fees.

There is a constant drip of news about data security breaches, identity thefts and cybersecurity, to the point that it can become background noise. That is, until it happens to you, as I recently found out.

Several weeks ago, I got a call from the administrator of my 401(k) asking if I had requested another distribution from my account.  Someone posing as me had managed to obtain a significant distribution from my 401(k) plan. They had my social security number and enough background information about me to convince the Plan Administrator to make the distribution. Coupled with the fact that they knew where to look for my 401(k) account, a data breach seems the likely source used by this particular criminal. This has become an all too familiar story for employers and other businesses in our current environment.

As businesses that routinely collect sensitive information from both customers and employees, auto dealers are attractive targets for data thieves. Every auto dealer should take a hard look at its current data security regime and ensure that they are taking adequate steps to protect both their employee and customer information.

This is particularly so here in Pennsylvania, given a decision by the Pennsylvania Supreme Court last fall. In that case, Dittman v. UPMC, the Pennsylvania Supreme Court established that an employer owes its employees a duty of reasonable care to protect their electronically stored information, and that UPMC was liable to its employees for breaching that duty.

While the Court in Dittman only imposed this duty on employers, it is not a stretch to see the Court extending its reasoning to other relationships where a business collects and stores personal information, and then fails (in the court’s opinion) to adequately safeguard it. Even without a Court extending the rationale in Dittman, several states have passed laws protecting their citizens from data breaches, and more are being considered by state legislators at present. In this digital age, auto dealers need to be sure that their systems are secure from both internal and external threats, and that they have taken all prudent and reasonable precautions to safeguard the data that they have collected.

Dealers rightfully depend on their DMS vendors to safeguard their data, but that may not limit the dealer’s liability. DMS contracts routinely disclaim any guarantee of data security. Further, they contain limitations of liability that purport to limit the amount the DMS vendor must pay in damages to the amount paid by the dealer under the DMS contract, or less. These provisions in the contract can make recovering for data breach losses more difficult.

Dealers need to be proactive in defending their customers’ and employees’ data. This includes using appropriate security software, adopting strong data security policies, and training employees on what steps to take, and what things not to do, to avoid a data breach. Employee training should be ongoing, and employee compliance should be monitored. The IT system, and all devices that interface with it need to be protected, including devices owned by employees.

In addition to all the preventative steps that a dealer takes, it is also necessary to have an appropriate breach response plan in place. Understanding how you need to react in the face of a breach can significantly lessen the damage that you suffer. You should also be sure that you are carrying appropriate and adequate insurance to cover losses you might sustain. Sadly, it seems that it is no longer a question of IF you will get hacked, but WHEN, as I can personally attest.