AI is rapidly finding its way into dealerships.
Employees are using AI tools to draft emails, summarize documents, create spreadsheets, analyze reports, improve customer communications, and solve everyday business problems faster than ever before.
In many ways, AI is becoming as common in the workplace as email and web browsers.
But there’s a growing compliance and cybersecurity issue that many dealerships haven’t fully considered:
Employees are sharing customer information with public AI platforms.
And in many cases, they don’t even realize they’re creating a problem.
The New Way Customer Information Leaves the Dealership
Many dealership leaders assume customer information only leaves the dealership through a cyberattack, data breach, or malicious insider.
Increasingly, that’s not the case.
Consider the following common scenarios:
- A service advisor copies and pastes customer information into an AI chatbot and asks it to draft a response to a customer complaint.
- A sales manager uploads CRM notes into an AI tool to create personalized follow-up messaging for a prospect.
- A controller uploads a spreadsheet containing customer names, account balances, and payment histories to help analyze trends.
- An F&I employee asks an AI platform to summarize customer credit application information or generate customer correspondence.
- A marketing employee uploads customer data to help an AI tool create targeted campaigns or promotional content.
- A department manager shares internal reports containing customer information and asks an AI platform to identify opportunities for improvement.
None of these employees are acting with bad intentions.
In fact, they’re usually trying to be more productive, provide better customer service, or improve dealership performance.
The problem is that customer information has now left the dealership’s controlled environment and been shared with a third-party platform.
And in many cases, neither the employee nor dealership leadership fully understands where that information is being stored, how long it may be retained, or who may have access to it.
Why This Is More Than a Cybersecurity Issue
Many dealership employees view AI as a productivity tool.
They don’t see it as a third party.
If someone uploaded a customer credit application to a random website, most employees would recognize that as a serious problem.
But uploading the same information into an AI chatbot often feels different.
It feels safe.
It feels harmless.
It feels like they’re simply using software to help them do their job.
Unfortunately, regulators may see it very differently.
The FTC Requires a Comprehensive Information Security Program
The FTC Safeguards Rule requires dealerships to develop, implement, and maintain a comprehensive information security program designed to protect customer information.
This requirement extends far beyond antivirus software, vulnerability scans, or annual compliance checklists.
A comprehensive information security program includes:
- Risk management
- Policies and procedures
- Employee training
- Access controls
- Monitoring and oversight
- Protection of customer information
- Ongoing governance of emerging risks
Artificial Intelligence is now one of those emerging risks.
If dealership personnel are sharing customer information with public AI systems without proper policies, controls, and oversight, regulators could reasonably question whether the dealership is maintaining the comprehensive information security program required by the FTC.
Simply put:
The unauthorized sharing of customer PII with public AI models isn’t merely poor cybersecurity practice – it may represent a failure to maintain the comprehensive information security program required by the FTC Safeguards Rule.
What Counts as Customer PII?
Dealerships handle enormous amounts of sensitive customer information, including:
- Names
- Addresses
- Phone numbers
- Email addresses
- Driver’s license numbers
- Social Security numbers
- Credit application information
- Financial records
- Banking information
- Vehicle ownership records
- Payment information
This information is precisely the type of data the FTC expects dealerships to protect.
When employees enter this information into public AI systems, they may be exposing it to risks that dealership leadership never intended.
Why Public AI Usage Creates a Compliance Gap
One of the biggest concerns with public AI tools is visibility.
Many dealerships have no way of knowing:
- Which AI platforms employees are using
- What information is being uploaded
- Whether customer information is being shared
- How long that information is retained
- Whether the information could be accessed by others
- Whether the platform’s security controls meet dealership requirements
That’s a problem.
A comprehensive information security program requires organizations to understand and manage risks to customer information.
You cannot effectively manage a risk you don’t know exists.
Shadow AI Is the New Shadow IT
For years, cybersecurity professionals have warned businesses about “Shadow IT” – employees using unauthorized technology without IT’s knowledge.
Now we’re seeing the rise of “Shadow AI.”
Employees can access powerful AI tools in seconds using nothing more than a web browser.
No approval.
No security review.
No compliance assessment.
No training.
The result is that dealership leadership may have little visibility into how AI is being used across the organization and whether customer information is being shared outside approved systems.
AI Isn’t the Problem
Let’s be clear.
AI itself is not the enemy.
In fact, AI has the potential to significantly improve dealership operations.
The dealerships that learn how to safely leverage AI will likely gain meaningful efficiency and productivity advantages.
The goal should not be to ban AI.
The goal should be to govern AI.
That means establishing:
- AI usage policies
- Employee training
- Approved AI platforms
- Rules regarding customer information
- Monitoring and oversight procedures
- Risk assessment processes
Just as dealerships developed policies around email, internet access, and mobile devices, they now need policies governing Artificial Intelligence.
Questions Every Dealership Executive Should Ask
If your dealership has not addressed AI governance, now is the time.
Ask yourself:
- Do we know which AI tools employees are using?
- Have we established an AI usage policy?
- Have employees been trained on acceptable AI usage?
- Are employees prohibited from sharing customer PII with public AI systems?
- Have we assessed the compliance implications of AI?
- Can we demonstrate that AI usage is governed by our information security program?
Many dealership executives are surprised by the answers.
Final Thoughts
Artificial Intelligence is transforming how people work.
But the FTC Safeguards Rule has not changed.
Dealerships are still required to maintain a comprehensive information security program designed to protect customer information.
The challenge is that AI has created a new avenue through which sensitive customer data can leave the dealership – often through well-intentioned employees simply trying to be more productive.
The question dealership executives should be asking is not:
“Are our employees using AI?”
The question is:
“Do we have the policies, controls, training, and oversight necessary to ensure AI usage is consistent with our comprehensive information security program?”
Because when it comes to FTC compliance, customer information must remain protected – regardless of whether the threat comes from a cybercriminal, a vendor, or an employee using the latest AI tool.
Need Help?
Helion helps auto and truck dealerships build cybersecurity and compliance programs that satisfy FTC Safeguards Rule requirements while enabling the safe adoption of new technologies such as Artificial Intelligence.
If you’re unsure how AI is being used within your dealership – or whether customer information may already be flowing into public AI platforms – contact Helion for a complimentary cybersecurity assessment.
