NewsArizona News


Arizona legislature approves bill aiming to increase cybersecurity when buying a car

KNXV Car dealership generic
Posted at 4:49 PM, Apr 05, 2019
and last updated 2019-04-05 22:22:51-04

PHOENIX — It's rare when a bill passes unanimously in both the Arizona House and Senate, but it happened with House Bill 2418. It's legislation intended to reduce the risk of someone getting your personal information when you buy a vehicle.

"If you are purchasing a car from a dealer your going to use some financial organization. You're going to give up information about yourself that I'm sure the consumer does not want released out in the ether," the bill's sponsor, state Rep. Noel Campbell (R-Prescott), said when he testified before the Senate Transportation and Public Safety Committee in March.

When people buy a car from a dealer, their personal information gets entered into what is known as the dealer management system, or DMS. That system links the vehicle with the purchaser, manufacturer, dealer, and digital sites like

Campbell's bill allows the dealer to be the gatekeeper of all the information. Dealers will enter into contractual agreements with a 3rd party and provide them only the information it needs. For example, sharing VIN and registration information with a digital company like

"I am really proud we're doing this because what we're saying is what we mean. When you come to our dealership, you give us that information. This is not for an open source," said Bobbi Sparrow, president of the Arizona Auto Dealership Association, which wrote the bill.

Cybersecurity experts and privacy advocates are not so sure the bill will provide the safeguards its supporters expect. Currently, the creators of the DMS system are responsible for its security.

The introduction of a third party can have the consequence of bypassing whatever security measures are already in place, according to privacy attorney K Royal, with the Sandra Day O'Connor College of Law at ASU.

"[It] basically forces a third party that they creators don't want in their system. It's basically blown whatever security they put in place," she said.

Sparrow responded by saying that the companies which create DMS programs are already selling the information they gather, and the bill will prevent that from happening in the future.

At Embry-Riddle Aeronautical University's College of Security and Intelligence, students from the Cyber Defense Club replicate real-life hacking scenarios in an attempt to prevent or in some cases break into sensitive government and corporate IT systems. The dean, Dr. John Haass, worries the bill will allow what it promises to prevent.

Dr. Haass, who reviewed House Bill 2418 for ABC15, says it doesn't focus much on putting digital protections first.

"It's pretty silent in terms of security. It talks a little about privacy; however it doesn't say anything about the implementation, doesn't say anything about standards or best practices," Dr. Haass said. "This is what happened to Facebook: they had an API (application programming interface) which allows people to harvest information on Facebook. Did they ever expect Russians to be harvesting it? No. They thought only good people would be harvesting it. Often attackers don't follow the rules."

The Arizona Auto Dealership Association stands by the bill and so does a unanimous legislature, though Governor Ducey has yet to sign it.

Similar bills are popping up across the country in New York passed similar legislation. Oregon and Montana are currently considering a bill similar to Arizona's.