Reynolds and Reynolds sued over alleged data breach deflections

Dealership management system giant Reynolds and Reynolds has been sued in Texas for more than $1 million over allegations that Reynolds falsely blamed auto parts provider TradeMotion for data breaches in 2017 and 2018.

Automotive Capital Ventures, formerly known as TradeMotion, sued Reynolds and Reynolds, along with Reynolds’ in-house counsel Richard Rauch, on Thursday in Collin County District Court near Dallas.

Automotive Capital Ventures, which seeks an injunction preventing Reynolds from representing itself as TradeMotion, claims Reynolds and Rauch in July 2018 published letters to “hundreds if not thousands” of people and entities on behalf of TradeMotion, saying TradeMotion had a data breach resulting in fraudulent credit card charges.

The breaches appear related to the TradeMotion and Parts.com websites and not to Reynolds’ DMS clients. The lawsuit also alleges Reynolds used the TradeMotion name in offering LifeLock identify theft protection to consumers affected by the data breaches.

“This unauthorized notice scheme by Reynolds and Rauch, on the purported behalf of TradeMotion, LLC, was essentially nothing more than a coordinated effort to deflect the true and correct source of the apparent data breach — Reynolds itself,” the lawsuit alleged.

Reynolds and Reynolds spokesman Thomas Schwartz said in an email late Friday that Reynolds believes “that the allegations are wholly without merit.” He said the case came in retaliation for a separate lawsuit Reynolds filed against the CEO of Automotive Capital Ventures and an affiliated company in April in federal court in Texas.

Michael Lucas, CEO of Automotive Capital Ventures, told Automotive News that Thursday’s complaint is not retaliation.

The lawsuit alleges that Reynolds, of Dayton, Ohio, discovered a data breach on or about February or March 2018 and did not notify state attorneys general until months afterward, and not until after the annual National Automobile Dealers Association show, held that year in late March.

The plaintiff said it discovered on about Oct. 25 of this year that Reynolds and senior executives had “been wrongfully using and exercising control over the entity TradeMotion,” according to the lawsuit.

Automotive Capital Ventures said TradeMotion provided on-demand automotive parts software, parts services and data solutions.

In June 2017, Reynolds announced it had purchased e-commerce company TradeMotion of San Diego and that terms weren’t disclosed, though it said TradeMotion’s co-founder, Shawn Lucas, was to join Reynolds. TradeMotion’s platform includes Parts.com, a website for automakers’ parts and accessories, Reynolds said at the time.

Yet Automotive Capital Ventures’ lawsuit claims Reynolds and Rauch don’t own and have never owned any “equitable interest in TradeMotion.”

Lucas said that Reynolds bought the assets of TradeMotion LLC in 2017 and should have filed notice of the breaches as “The Reynolds and Reynolds Co. dba TradeMotion,” rather than “on behalf of TradeMotion LLC.”
He added that he changed the name of his company to Automotive Capital Ventures after selling the TradeMotion brand to Reynolds. Today, Automotive Capital Ventures is affiliated with software company i3 Brands and subsidiary PartProtection, which offers warranty protection on auto parts, Lucas said.

Thursday’s lawsuit claims Reynolds, acting as TradeMotion, sent notices of the data breaches to state attorneys general in California, Indiana, Maine, Maryland, Massachusetts, Montana, New Hampshire, North Carolina, Oregon, Vermont and Washington.

An October 2017 TradeMotion breach involved 1,036 people in Indiana and 81,782 people overall, according to information posted on the website of the Indiana state attorney general.

In a July 24, 2018, letter from Rauch to the New Hampshire Department of Justice, on TradeMotion letterhead, Rauch wrote that TradeMotion was notified by a “small number of consumers and partners” that some consumers experienced fraudulent credit card charges after using their card on TradeMotion’s website. Some consumers were impacted on TradeMotion’s Parts.com website, said the letter, which was included as an exhibit filed with the lawsuit.

Rauch wrote that the investigation found that an unauthorized individual obtained consumers’ names, billing addresses, emails, phone numbers, credit and debit card numbers, CVV codes and expiration dates on five different dates in October 2017, January 2018, February 2018, March 2018 and May 2018.

Reynolds filed a separate lawsuit in April in federal court against i3 Brands and Lucas, claiming that i3 Brands breached a $2 million loan agreement with Reynolds. A jury trial in that case could be held in the spring of 2021, according to court records.