It’s now common to see safeguarding and data transfer provisions in acquisition contracts, said George Karolis, president of investment banking and dealership advisory firm Presidio Group.
For instance, dealership purchase agreements often include representations that the seller has complied with Gramm-Leach-Bliley and has taken reasonable steps to protect their computer systems and customers’ information, said Stephen Dietrich, a lawyer and partner with Holland & Knight in Denver, who works on dealership transactions.
In the future, Safeguards Rule compliance likely will be added to the list of questions buyers ask about data security in their due diligence process, Dietrich said.
Dealership buyers can start a risk assessment before a transaction closes by asking sellers to provide questionnaires they give cyber insurance providers, which generally mirror the FTC’s requirements, Nachbahr said.
Asbury Automotive Group Inc. frequently looks for vulnerabilities in its own systems, as well as in systems for stores it plans to acquire, company leaders said last week.
The publicly traded group rose one spot to No. 5 on Automotive News‘ most recent list of the top 150 dealership groups based in the U.S., buoyed by its $3.2 billion purchase last year of Larry H. Miller Dealerships’ 61 new- and used-vehicle stores.
“When you buy a single store, it needs a lot of work and structure on the IT side, especially on the security side,” Asbury CEO David Hult said. “Most of the smaller groups have minimal security on their systems. They have it, but it’s minimal. Being a large company, we have layers of protection. So in every acquisition we’ve done, even the big ones like [Larry H.] Miller and Park Place [Dealerships], we’ve had to add layers on top of their security, just to get ourselves comfortable. Certainly, Park Place had a more sophisticated one and so did the Millers. But being public, we enhanced it further.”
