CDK Resource Center

What is VADA doing to help?

At VADA, we have been working closely with Virginia DMV, which has taken swift action to enable affected CDK/CVR dealers to issue Print-on-Demand temporary tags through other online dealer service providers who have offered support during this challenging time. We expect CDK services to be restored around July 4 and registration and titling services with CVR restored sometime next week, we know you have options for those services and encourage you to work with those service providers.

Contact an alternate online dealer vendor as soon as possible for assistance. One of those is VADA partner Dealertrack. Our contact Kim Haddaway can be reached via email or at 757.985.6940.

Update: July 3

Legal and Regulatory Considerations for Auto Dealers: ComplyAuto has released a Legal and Regulatory Considerations guide to aid dealers in getting back up and running as systems begin to come back online. The platform should be operational as of Thursday, July 4th. This comprehensive guide delves into the critical aspects dealers need to consider, from understanding legal obligations to implementing robust security measures.

Additional Resources & Special Offer for VADA Members: In collaboration with VADA, ComplyAuto is offering a complimentary, comprehensive 90-day service, including email protection, phishing simulations, FTC Safeguards Rule Compliance, and a 50-state data breach reporting tool. To take advantage of this special offer, please contact Sherryl B. Nens at sherryl@complyauto.com or 661-210-3453.

Update: July 1

Bottom line: Per NADA, CDK will file a "consolidated breach notification" with the Federal Trade Commission on behalf of dealer clients if the company determines that Federal Notification Requirement is triggered. Thanks to NADA and CDK's joint proposal to the FTC, which was accepted by the agency, dealers have no obligation to file a breach notification related to this matter.

Background: The newly amended FTC Safeguards Rule requires financial institutions (including dealers) to provide an electronic notice to the agency as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information. Questions have arisen concerning whether the security incident reported by CDK on June 19 triggers this requirement.

What does that mean for dealers? Each dealer client of CDK would be required to file a breach notification with the FTC and complete its data fields including (among other entries) the types of information involved in and a summary of the notification event. Because information surrounding the security incident is subject to an internal, ongoing investigation by CDK and therefore is unavailable to CDK’s dealer clients, dealers are unable to determine whether the federal notification requirement has been triggered.

But wait: NADA, in coordination with CDK counsel, proposed to the FTC that the agency permit the company to file a single electronic notice on behalf of all of its affected dealer clients should CDK conclude the notification requirement has been triggered.

What then? In such notice, CDK would complete all of the required data fields based on available information, including the identity of its affected dealer clients. A filing by CDK – or a determination by CDK that the notification requirement has not been triggered – would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.

The FTC has accepted NADA’s proposal. Consequently, dealers have no obligation to file a breach notification with the FTC related to this matter. A dealer can opt out of having CDK handle this matter on its behalf, in which case the dealer would have to file the notification.

However, dealers are reminded that (i) the full range of FTC Safeguards Rule requirements remain in effect, and (ii) every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements.

CDK will communicate directly with its dealer clients related to this matter.

Update: June 28

• VADA external counsel Barrie Charapp Beaty has developed a checklist dealers can use in the wake of an incident like the CDK cyberattack. Get it now.
• NADA has released an update regarding the Federal Notification Requirement and other guidance. It is copied below.

What’s the latest: CDK announced that it brought a small test group of dealers live on the core DMS (accounting parts, service, sales F&I, user management and document management) on June 26 and a second group on June 27, including a large public dealer. CDK also stated that there “are some integration points with OEM systems and third-party partners that may not be live immediately but will be phased in as quickly as possible” and that the company is actively working on bringing back CDK CRM, ONE-EIGHTY, and CDK Service—and they expect Customer Care to go live late afternoon Friday.

NADA continues to communicate with CDK, but company representatives have not confirmed whether any unauthorized parties acquired unencrypted customer information, nor did they provide any other details of the incident.

What you should do: Dealers should be aware that the FTC requires notification to the FTC (not to customers) of the acquisition of unencrypted customer information without authorization involving at least 500 consumers. This must occur “as soon as possible and no later than 30 days after discovery of the event.” While dealers should consult with their legal counsel regarding compliance with this requirement, given the scale of this event NADA staff has been in communication with FTC staff about when notification must be provided to the FTC. At this time, NADA believes that dealers do not need to provide such a notification imminently, and NADA will provide further information as more information is known about this incident. As this could change, NADA has urged CDK to notify dealers promptly if it learns that such information has been compromised.

Separate and apart from the FTC breach notification requirement, every state has a breach-notification statute with its own set of requirements and deadlines, and dealers should consult their legal counsel about necessary steps to ensure compliance with state law.

Additional items for dealers to consider: Dealers should review their compliance with the FTC Safeguards Rule (including the required written information security program) and be aware of recent amendments to the rule that require, among many other elements, encryption of customer information both in transit and at rest, and the establishment of a written incident response plan. Details of the FTC Safeguards Rule are in NADA’s Safeguards Rule Driven guide (below).

Appendix A of the guide contains a draft incident response plan, which includes steps a dealership can take in the event of a security event. Steps include, but are not limited to, the following, and the guide contains significant detail under each heading:

• Securing dealership operations. (p. 51)
• Remediating weaknesses and fixing vulnerabilities. (p. 52)
• Developing a comprehensive communications plan. (p. 53)
• Notifying appropriate parties. (p. 54)

Go deeper: As a reminder, there are several resources to help dealers address data security and regulatory compliance, including:

• NADA Safeguards Rule Driven Guide
• FTC Cybersecurity Basics
• Cybersecurity and Infrastructure Security Agency (CISA) resources

Update: June 27

Get the deck from ComplyAuto outlining the steps dealerships need to be taking after this incident.