For Canadian car dealerships
Managed IT Services for Car Dealerships in British Columbia
Sales desking, F&I, parts ordering, and service RO billing all run through one system. We work to keep it up, and we lock down the credit applications and SINs inside it by department, so an outage stays an inconvenience.
- 81+ Google reviews
- ~15-minute response time
- No contracts, month to month
- Microsoft Partner
One system, every department
Most stores run on a single DMS: CDK, Reynolds and Reynolds, PBS, Serti, Quorum, Dealertrack or Tekion. When it is offline, the service drive can't close ROs, parts can't order or invoice, and F&I can't book deals. The losses don't pause, they stack across departments by the hour.
In June 2024, the CDK Global ransomware outage took roughly 15,000 North American dealers offline for about two weeks. That is the kind of event a backup plan is supposed to survive.
The data inside the DMS makes a store a target. Credit applications, driver's licences, and SINs sit in the F&I tools. If logins are shared, networks are flat, and there is no access control by department, an F&I credit file can be reached from a showroom or service terminal.
None of this means your store has a problem today. It means the stakes are high enough to be worth a look.
Worth knowing for Canadian dealerships
A few things that come up often when we look at dealership IT. Plain facts, grounded in the rules, with a common myth cleared up.
-
Myth: the cloud is banned for dealer records
Reality: neither PIPEDA nor OMVIC bans cloud or cross-border storage. PIPEDA lets you use a third-party processor, including a US-based one, as long as you stay accountable and contract for comparable safeguards. OMVIC allows electronic and cloud record-keeping for Ontario dealers, it just asks for the Registrar's permission to store records off-site. The real job is to control access, encrypt the data, and be able to report a real-risk breach.
-
PIPEDA asks you to keep a record of every breach
A breach that poses a real risk of significant harm must be reported to the Privacy Commissioner and to affected customers. Separately, you have to keep a record of all security-safeguard breaches, serious or not, for at least 24 months. Most stores have no process for this part.
-
The data in F&I is exactly what PIPEDA protects
PIPEDA names SINs, credit and debit card data, and credit reports as personal information. That is the contents of an F&I file. It is also why a dealership is a target, and why access to those files is worth controlling by department.
-
New FINTRAC obligations for dealers offering financing
Per FINTRAC guidance, as of April 1, 2025 dealerships that offer vehicle financing or leasing are reporting entities. That means verifying client ID, keeping records, naming a compliance officer, and filing suspicious-transaction reports. FINTRAC set a transition period running to April 1, 2026, and penalties can reach $500,000 for a very serious violation. [[verify]] We are an IT company, so confirm the specifics with your compliance advisor.
-
Backups on the DMS network do not survive ransomware
If your backup sits on the same network as the DMS, an attack takes both at once. The 2024 CDK outage affected about 15,000 dealers for roughly two weeks. Isolated backups that you actually test for restore are what gets the store running again quickly.
-
Downtime cost stacks, it does not pause
When the DMS is offline, the service drive can't close ROs, parts can't invoice, and F&I can't book deals at the same time. Anderson Economic Group estimated franchised dealer losses from the CDK outage at about $1.02 billion over three weeks. [[verify]]
Umbrella IT Services is an IT company, not a law firm, accountant, or compliance authority. This is general information, not legal or professional advice. Confirm your obligations with a qualified advisor.
Sources
- Office of the Privacy Commissioner: PIPEDA breach reporting (RROSH, 24-month records)
- Office of the Privacy Commissioner: PIPEDA requirements in brief
- FINTRAC: obligations and guidance for reporting entities
- OMVIC: Electronic Record-Keeping Guideline (6-year retention, cloud permission)
- TechTarget: The CDK Global outage explained (about 15,000 dealers, about 2 weeks)
- Anderson Economic Group: Dealer losses from CDK cyberattack reach $1.02 billion
- CNN Business: CDK almost certainly paid a $25 million ransom
What makes us different
Department-level access control
We separate the network and lock F&I data down by role. A service terminal can't reach a credit file, and a showroom login can't either.
Backups that survive ransomware
Backups that live on the same network as the DMS are useless after an attack. We keep yours separate and test that they actually restore.
11-minute average response time
When something breaks on the drive, you reach a senior tech fast. No junior techs are assigned to your account.
Month-to-month, no onboarding fee
No long contracts and no setup charge. If we are not earning the relationship, you can leave.
A written security program
About 178 written policies, with a former IDF security officer leading security. That includes a breach-record process, which most stores do not have.
Quarterly business reviews
We sit down every quarter (vCIO/QBR) to look at risk, spend, and what is coming next quarter. You get a clear picture, not just an invoice at the end of the month.
What we do for dealerships
We start by mapping how your store depends on the DMS and where the financing data lives. Then we close the gaps that turn an outage into a shutdown and a login into a breach. We work with CDK, Reynolds, PBS, Serti, Quorum, Dealertrack and Tekion environments.
- Separate, tested backups that are isolated from the DMS network
- Department-level access so F&I credit files stay out of the showroom and service drive
- Microsoft 365 with Canadian data residency (Microsoft runs datacentres in Toronto and Quebec City) for stores that want it
- A written breach-record process so you can keep records for the PIPEDA 24-month window
- White-glove migration with a no-downtime guarantee if you need to move email or files (pricing quoted up front [[verify]])
- 30% off projects and labour, plus monthly training seminars for your staff
Results you can measure
The Dealership DMS and Data Checklist: 7 Things to Confirm Before the Next Outage
Worth a 20-minute look
We will walk through how your store depends on the DMS, where the financing data sits, and what an outage would actually cost you by department. No pitch deck. If everything checks out, you leave with a clean bill of health.