Legal and Compliance Considerations on CDK and other Cyberattacks

Note: This guidance was put together by VADA's external counsel, Barrie Charapp Beaty. For the CDK breach, VADA is not in a position to render advice as to whether notification needs to be sent at this time, nor the protocols that dealers should be specifically taking.  There has been no information provided that customer data has been breached. Additionally, the NADA is actively speaking with both CDK and the FTC on the breach and the issue of the Safeguards Rule notification requirement.  Dealers may want to wait further guidance from NADA related to the Safeguards Rule notification. While this information is most pertinent to CDK dealers at this time, but all dealers need to review this reminder and the actions to be looked at in the event of a data breach on their systems or that of their vendors.

June 28, 2024

By Barrie Charapp Beaty
Charapp & Weiss, LLP
bbeaty@cwattorneys.com

At this time, there has been no information released as to what the CDK Global cyberattack entailed. However, it is noteworthy that the CDK cyberattack is not unique to the company, and could occur with any vendor with whom you do business. Your organization should have a data breach protocol in place, including who should be in charge in the event of a data breach. This letter is a checklist for all dealers — not just those with CDK — for certain reminders and actions that can be taken at this time.

Insurance

Dealers should pull and read their insurance policies specifically the policies on cyber insurance, cyberattacks and business interruption.  Dealers need to understand what is and is not covered under their policies.  If you have questions about your policies and what is covered, speak to your insurance agent or carrier.

Letter to Vendor

If a vendor is breached, Virginia dealers have the right to know if personal information has been accessed. This is pursuant to Va. Code 18.2-186.6(D)

An individual or entity that maintains computerized data that includes personal informationthat the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delayfollowing discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person.

The notification to the vendor should request information regarding the breach, whether the data kept by vendor was encrypted, if encrypted, whether the encryption key was breached, whether the dealer’s records were accessed and part of the breach, and if so, the number of dealer records affected.  Specifically, dealers need to ask whether their customer data was encrypted, accessed and part of the breach.

For the latest information on the CDK Global incident, visit our CDK Resource Center.

Addendum to the Vendor Agreement for compliance with the Safeguards Rule

As part of your requirements under the Safeguards Rule, Dealers need addendums to their vendor agreements that state that the vendor maintains the dealer’s customer data in compliance with the Safeguards Rule.  Dealers should have those on hand and review all of those agreements to ensure that you have one in place for all of your vendors.

Data Security

Dealers should ensure that their systems have security in place and run any tests to ensure no malware or virus has impacted their systems.  Dealers should be speaking with their IT providers to ensure all safety protocols are in place.

Customer Information Breach Protocols under Federal and State Law

You should have a written security program and plan pursuant to the Safeguards Rule.  The NADA has a sample program and plan, which is highly recommended.   When there is a data breach of customer information, you may have notification requirements under Virginia law and with the FTC.  As you recall, last month we notified you that the Safeguards Rule does require dealers to file a notice with the FTC in the event of a data breach occurs of 500 or more customers.  You need to seek counsel with your attorney regarding the need for any notification for data breaches related to customer information, and what those notifications should look like.