Reynold and Reynolds sued over alleged data breach deflections

Dealership management system giant Reynolds and Reynolds has been sued in Texas for more than $1 million over allegations that Reynolds falsely blamed auto parts provider TradeMotion for data breaches in 2017 and 2018.

Automotive Capital Ventures, formerly known as TradeMotion, sued Reynolds and Reynolds, along with Reynolds’ in-house counsel Richard Rauch, on Thursday in Collin County District Court near Dallas.

Automotive Capital Ventures, which seeks an injunction preventing Reynolds from representing itself as TradeMotion, claims Reynolds and Rauch in July 2018 published letters to “hundreds if not thousands” of people and entities on behalf of TradeMotion, saying TradeMotion had a data breach resulting in fraudulent credit card charges. The breaches appear related to the TradeMotion and Parts.com websites and not to Reynolds’ DMS clients. The lawsuit also alleges Reynolds used the TradeMotion name in offering LifeLock identify theft protection to consumers affected by the data breaches.

“This unauthorized notice scheme by Reynolds and Rauch, on the purported behalf of TradeMotion, LLC, was essentially nothing more than a coordinated effort to deflect the true and correct source of the apparent data breach — Reynolds itself,” the lawsuit alleged.

Reynolds and Reynolds could not immediately be reached for comment. Messages were left with lawyers for Automotive Capital Ventures, as well as with company executives.

The lawsuit alleges that Reynolds, of Dayton, Ohio, discovered a data breach on or about February or March 2018 and did not notify state attorneys general until months afterward, and not until after the annual National Automobile Dealers Association show, held that year in late March.

The plaintiff said it discovered on about Oct. 25 of this year that Reynolds and senior executives had “been wrongfully using and exercising control over the entity TradeMotion,” according to the lawsuit.

Automotive Capital Ventures said TradeMotion provided on-demand automotive parts software, parts services and data solutions.

In June 2017, Reynolds announced it had purchased e-commerce company TradeMotion of San Diego and that terms weren’t disclosed, though it said TradeMotion’s co-founder, Shawn Lucas, was to join Reynolds. TradeMotion’s platform includes Parts.com, a website for automakers’ parts and accessories, Reynolds said at the time.

Yet Automotive Capital Ventures’ lawsuit claims Reynolds and Rauch don’t own and have never owned any “equitable interest in TradeMotion.” The companies’ relationship was not immediately clear Friday.

The lawsuit claims Reynolds, acting as TradeMotion, sent notices of the data breaches to state attorneys general in California, Indiana, Maine, Maryland, Massachusetts, Montana, New Hampshire, North Carolina, Oregon, Vermont and Washington.

An October 2017 TradeMotion breach involved 1,036 people in Indiana and 81,782 people overall, according to information posted on the website of the Indiana state attorney general.

In a July 24, 2018, letter from Rauch to the New Hampshire Department of Justice, on TradeMotion letterhead, Rauch wrote that TradeMotion was notified by a “small number of consumers and partners” that some consumers experienced fraudulent credit card charges after using their card on TradeMotion’s website. Some consumers were impacted on TradeMotion’s Parts.com website, said the letter, which was included as an exhibit filed with the lawsuit.

Rauch wrote that the investigation found that an unauthorized individual obtained consumers’ names, billing addresses, emails, phone numbers, credit and debit card numbers, CVV codes and expiration dates on five different dates in October 2017, January 2018, February 2018, March 2018 and May 2018.