In my last article in this space, I addressed what dealerships should do when a vendor gets hacked and loses data impacting clients. In this article I want to address what federal and state governments are doing about it, and how that may impact dealers. 

For dealers and industry IT professionals, last year’s hack of 700Credit was more than a cybersecurity story — it was a reality check. Many consumers don’t even recognize the name 700Credit, but they do recall financing a vehicle. That disconnect highlights how deeply third‑party vendors have become embedded in the automotive finance ecosystem, quietly handling critical consumer data on behalf of dealers across the country. 

What Happened and Why It Matters

700Credit’s breach was blamed on a third‑party partner that failed to notify the company. Hackers used that partner’s compromised credentials to hit the credit provider’s application layer and harvest sensitive consumer data. 

The supply‑chain attack on a back‑end application programming interface is indicative of modern cybersecurity risks. Leaning heavily on integration partners and software ecosystems means that a breach at one node can ripple outward, undermining trust in the entire value chain. 

Dealers’ margins are already compressed. The risks aren’t just reputational; they’re operational and regulatory. Dealers aren’t just selling cars; they’re custodians of sensitive financial data.

The breach also underscores a tough truth: You can’t secure what you don’t control. 700Credit’s internal systems weren’t directly breached, but unauthorized access to records that flowed through it was enough to compromise millions. Dealers are now wrestling with the fallout, from customer alerts and credit-monitoring services to potential legal claims.  

The Regulatory Landscape: Fragmented but Evolving

State and local governments have been aggressively filling the federal regulatory gap. What used to be a patchwork primarily governed by breach-notification laws has become a complex quilt of comprehensive consumer privacy statutes, data broker restrictions and emerging requirements for how sensitive data is collected, shared and deleted. 

As of late 2025, about 20 states had enacted comprehensive data-privacy laws, with others amending statutes. The laws require entities that collect or process personal information to comply with transparency, security and consumer-rights obligations and require companies to implement reasonable safeguards and breach-response protocols. 

Florida’s breach notification protocol may differ from Minnesota’s; data access rights in Connecticut may differ from those in Texas. Organizations operating nationally face simultaneous state obligations. Centralized compliance programs and tight vendor risk-management have never been more crucial.  

Soft Pulls: Consumer Consent and Legal Risks

One of the thornier issues behind the 700Credit discussion is the role of “soft pulls” that don’t impact a consumer’s credit score and typically don’t require Social Security numbers. Soft pulls do produce FICO scores and loan summaries, and providers use them to prequalify leads for dealers.  

Consumers may be unaware that a soft pull is occurring. That lack of explicit consent and awareness can create friction with evolving data-privacy norms, particularly in states where transparency and clear consent are foundational privacy law principles. 

The absence of consent isn’t always illegal. Many soft pulls comply with the Fair Credit Reporting Act if a permissible purpose exists. But they muddy the waters when it comes to consumer expectations and trust. Exposed data becomes fodder for identity theft and phishing, leading consumers to question why their information was shared in the first place. And when state laws require affirmative consent or enhanced disclosure for certain types of processing, the soft pulls will be scrutinized more closely.

For companies like 700Credit, the breach highlights that permissioned but opaque data flows aren’t enough. Dealers may need to revisit disclosures, ensuring customers understand who handles their data, how it’s processed, and the rights they have if something goes wrong.

Conclusion: A Wake‑Up Call for Automotive Data Security

Recent data breaches in retail automotive have demonstrated that even large and sophisticated tech companies are not immune from cyberattacks. Dealers and their partners must invest in hardened systems, continuous compliance monitoring and clear consumer communication. 

In a world where data is the fuel of finance, securing it must be a priority, not just for legal compliance, but for maintaining the trust that keeps customers coming back.

James S. Ganther is an attorney and CEO of Mosaic Compliance Services.