§ 20-305.7. Protecting dealership data and consent to access dealership information.

§ 20‑305.7.  Protectingdealership data and consent to access dealership information.

(a)        No manufacturer,factory branch, distributor, or distributor branch shall access or obtaindealer or customer data from or write dealer or customer data to a dealer managementcomputer system utilized by a motor vehicle dealer located in this State, orrequire or coerce a motor vehicle dealer located in this State to utilize aparticular dealer management computer system, unless the dealer managementcomputer system allows the dealer to reasonably maintain the security,integrity, and confidentiality of the data maintained in the system. Nomanufacturer, factory branch, distributor, distributor branch, dealermanagement computer system vendor, or any third party acting on behalf of anymanufacturer, factory branch, distributor, distributor branch, or dealermanagement computer system vendor shall prohibit a dealer from providing ameans to regularly and continually monitor the specific data accessed from orwritten to the dealer's computer system and from complying with applicableState and federal laws and any rules or regulations promulgated thereunder.These provisions shall not be deemed to impose an obligation on a manufacturer,factory branch, distributor, distributor branch, dealer management computersystem vendor, or any third party acting on behalf of any manufacturer, factorybranch, distributor, distributor branch, or dealer management computer systemvendor to provide such capability.

(b)        No manufacturer,factory branch, distributor, distributor branch, dealer management computersystem vendor, or any third party acting on behalf of any manufacturer, factorybranch, distributor, distributor branch, or dealer management computer systemvendor may access or utilize customer or prospect information maintained in adealer management computer system utilized by a motor vehicle dealer located inthis State for purposes of soliciting any such customer or prospect on behalfof, or directing such customer or prospect to, any other dealer. Thelimitations in this subsection do not apply to:

(1)        A customer thatrequests a reference to another dealership;

(2)        A customer thatmoves more than 60 miles away from the dealer whose data was accessed;

(3)        Customer or prospectinformation that was provided to the dealer by the manufacturer, factorybranch, distributor, or distributor branch; or

(4)        Customer or prospectinformation obtained by the manufacturer, factory branch, distributor, ordistributor branch where the dealer agrees to allow the manufacturer, factorybranch, distributor, distributor branch, dealer management computer systemvendor, or any third party acting on behalf of any manufacturer, factorybranch, distributor, distributor branch, or dealer management computer systemvendor the right to access and utilize the customer or prospect informationmaintained in the dealer's dealer management computer system for purposes ofsoliciting any customer or prospect of the dealer on behalf of, or directingsuch customer or prospect to, any other dealer in a separate, stand‑alonewritten instrument dedicated solely to such authorization.

No manufacturer, factory branch,distributor, distributor branch, dealer management computer system vendor, orany third party acting on behalf of any manufacturer, factory branch,distributor, distributor branch, or dealer management computer system vendor,may provide access to customer or dealership information maintained in a dealermanagement computer system utilized by a motor vehicle dealer located in thisState, without first obtaining the dealer's prior express written consent,revocable by the dealer upon five business days written notice, to provide suchaccess. Prior to obtaining said consent and prior to entering into an initialcontract or renewal of a contract with a dealer located in this State, themanufacturer, factory branch, distributor, distributor branch, dealermanagement computer system vendor, or any third party acting on behalf of, orthrough any manufacturer, factory branch, distributor, distributor branch, ordealer management computer system vendor shall provide to the dealer a writtenlist of all third parties to whom any North Carolina dealer management computersystem data has been provided within the 12‑month period ending November1 of the prior year. The list shall further describe the scope of the dataprovided. In addition to the initial list, a dealer management computer systemvendor or any third party acting on behalf of, or through a dealer managementcomputer system vendor shall provide to the dealer an annual list of thirdparties to whom said data is being provided on November 1 of each year and towhom said data has been provided in the preceding 12 months and describe thescope of the data provided. Such list shall be provided to the dealer byJanuary 1 of each year. Any dealer management computer system vendor's contractthat directly relates to the transfer or accessing of dealer or dealer customerinformation must conspicuously state, "NOTICE TO DEALER: THIS AGREEMENTRELATES TO THE TRANSFER AND ACCESSING OF CONFIDENTIAL INFORMATION AND CONSUMERRELATED DATA". Such consent does not change any such person's obligationsto comply with the terms of this section and any additional State or federallaws (and any rules or regulations promulgated thereunder) applicable to themwith respect to such access. In addition, no dealer management computer systemvendor may refuse to provide a dealer management computer system to a motorvehicle dealer located in this State if the dealer refuses to provide anyconsent under this subsection, except to the extent that consent is deemed bythe parties to be reasonably necessary in order for the vendor to provide thesystem to the dealer.

(c)        No dealermanagement computer system vendor, or third party acting on behalf of orthrough any dealer management computer system vendor, may access or obtain datafrom or write data to a dealer management computer system utilized by a motorvehicle dealer located in this State, unless the dealer management computersystem allows the dealer to reasonably maintain the security, integrity, andconfidentiality of the customer and dealership information maintained in thesystem. No dealer management computer system vendor, or third party acting onbehalf of or through any dealer management computer system vendor, shallprohibit a dealer from providing a means to regularly and continually monitorthe specific data accessed from or written to the dealer's computer system andfrom complying with applicable State and federal laws and any rules orregulations promulgated thereunder. These provisions shall not be deemed toimpose an obligation on a manufacturer, factory branch, distributor,distributor branch, dealer management computer system vendor, or any thirdparty acting on behalf of any manufacturer, factory branch, distributor,distributor branch, or dealer management computer system vendor to provide suchcapability.

(d)        Any manufacturer,factory branch, distributor, distributor branch, dealer management computersystem vendor, or any third party acting on behalf of or through any dealermanagement computer system vendor, having electronic access to customer ormotor vehicle dealership data in a dealership management computer systemutilized by a motor vehicle dealer located in this State shall provide noticeto the dealer of any security breach of dealership or customer data obtainedthrough such access, which at the time of the breach was in the possession orcustody of the manufacturer, factory branch, distributor, distributor branch,dealer management computer system vendor, or third party. The disclosurenotification shall be made without unreasonable delay by the manufacturer,factory branch, distributor, distributor branch, dealer management computersystem vendor, or third party following discovery by the person, ornotification to the person, of the breach. The disclosure notification shalldescribe measures reasonably necessary to determine the scope of the breach andcorrective actions which may be taken in an effort to restore the integrity,security, and confidentiality of such data. Such measures and correctiveactions shall be implemented as soon as practicable by all persons responsiblefor the breach.

(e)        Nothing in thissection shall preclude, prohibit, or deny the right of the manufacturer,factory branch, distributor, or distributor branch to receive customer ordealership information from a motor vehicle dealer located in this State forthe purposes of complying with federal or State safety requirements orimplementing steps related to manufacturer recalls at such times as necessaryin order to comply with federal and State requirements or manufacturer recallsprovided that receiving this information from the dealer does not impair,alter, or reduce the security, integrity, and confidentiality of the customerand dealership information collected or generated by the dealer.

(f)         The followingdefinitions apply to this section:

(1)        "Dealermanagement computer system" – A computer hardware and software systemhaving dealer business process management modules that provide real time accessto customer records and transactions by a motor vehicle dealer located in thisState and that allow such motor vehicle dealer timely information in order tosell vehicles, parts or services through such motor vehicle dealership.

(2)        "Dealermanagement computer system vendor" – A seller or reseller of dealermanagement computer systems (but only to the extent that such person is engagedin such activities).

(3)        "Securitybreach" – An incident of unauthorized access to and acquisition of recordsor data containing dealership or dealership customer information whereunauthorized use of the dealership or dealership customer information hasoccurred or is reasonably likely to occur or that creates a material risk ofharm to a dealership or a dealership's customer. Any incident of unauthorizedaccess to and acquisition of records or data containing dealership ordealership customer information shall constitute a security breach.

(g)        The provisions ofG.S. 20‑308.1(d) shall not apply to an action brought under this sectionagainst a dealer management computer system vendor.

(h)        This section shallapply to contracts entered into on or after November 1, 2005. (2005‑409, s. 4; 2007‑513,s. 10.)