CDK Cyber Incident Serves as a Reminder to Dealers to Protect Data and Systems

This message was sent from NADA to all members on June 20, 2024

CDK Global has shut down all systems because it experienced a “cyber incident.”

Tell me more: Beginning on Wednesday, June 19, CDK Global reported that it had experienced a “cyber incident” that caused it to shut down all systems. On Wednesday afternoon, CDK announced that it restored DMS, Digital Retail, and CDK Phones, including Unify and DMS direct login access, but then experienced another incident late Wednesday evening that caused it again to shut down all systems. CDK cannot estimate how long the outage will last and its customer service is unavailable.

What’s next: NADA is in communication with CDK’s legal office and is seeking additional information about the incident, including whether there has been any unauthorized acquisition of unencrypted customer information. NADA urges its members to consult with counsel concerning any federal or state legal responsibilities it may have related to the incident.

As part of this process, dealers should review their compliance with their full range of responsibilities under the recently-amended FTC Safeguards Rule, which are set forth in NADA’s Driven Guide on the topic. Dealers should pay particular attention to the following requirements contained in the Amended Safeguards Rule:

  • The numerous technological requirements including the need to encrypt all customer information held or transmitted by the dealer when in transit over external networks and when at rest;
  • The establishment of a written incident response plan that is designed to help a dealer promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the dealership’s control; and
  • The need to report “notification events” involving at least 500 consumers to the FTC when there has been an “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”
    • If applicable, reporting must take place if the incident occurred in dealer-controlled systems, including those maintained by vendors.
    • The notification requirement requires reporting to the FTC only, not to customers.
    • This is separate from customer notification or other requirements imposed under state data breach notification laws.

Go deeper: There are several resources to help address data security and regulatory compliance, including:

  1. NADA Safeguards Rule Driven Guide
  2. FTC Cybersecurity Basics

The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.