Update: July 31
After the June 19, 2024, CDK cyber security incident, CDK has worked tirelessly to restore service. Currently, all major applications—including the Dealer Management System (DMS), CDK Service, and CDK CRM—are available, and the restoration of all OEM and third-party integrations is nearly complete.
CDK has been actively investigating the issue with the assistance of leading third-party experts. As of now, CDK has not determined that any PII was impacted.
While the investigation is ongoing, CDK aims to address your concerns about your potential obligations to comply with the regulatory reporting and notification requirements under the Federal Trade Commission (FTC) Safeguards Rule and state breach notification laws.
- Notice under FTC Safeguards Rule. CDK previously informed you on July 1, 2024, that in order to alleviate the burden on their dealer customers of potentially filing individual notices, CDK has obtained permission from the FTC to file a consolidated notice on behalf of all of their affected dealer clients, should they determine that the reporting requirement under the FTC Safeguards Rule has been triggered. As a result, individual dealers will not need to file notices with the FTC regarding CDK’s June 19 security incident unless you opt out.On July 17, 2024, CDK provided an initial notice to the FTC. The initial notice states that “CDK’s investigation into the security incident is ongoing. At present, the number of consumers potentially affected, if any, is unknown. The Company will provide a supplemental submission and/or follow up with Staff once more information is known.” If their investigation into the incident indicates that the reporting requirement under the Safeguards Rule has been triggered and additional information needs to be provided to the FTC, CDK will provide it on behalf of affected dealers.
- Notices under State Laws. Regarding dealer customers’ potential notice obligations under state data breach notification law, they will take the same approach as they did regarding the FTC Safeguards Rule notice. If based on their investigation they determine that any notifications under state breach notification laws (such as notices to state Attorneys General or to consumers) are required, CDK will provide the notifications on behalf of affected dealers unless you opt out.
- Logistics and What to Expect. Upon the completion of the investigation, if CDK determines that any reporting or notice requirements under the FTC Safeguards Rule or any state data breach notification laws has been triggered, they will update you and follow up regarding the logistics of the notification process, including how you may opt out if you don’t wish CDK to handle such reporting or notice on your behalf.
Update: July 3
Legal and Regulatory Considerations for Auto Dealers: ComplyAuto has released a Legal and Regulatory Considerations guide to aid dealers in getting back up and running as systems begin to come back online. The platform should be operational as of Thursday, July 4th. This comprehensive guide delves into the critical aspects dealers need to consider, from understanding legal obligations to implementing robust security measures.
Additional Resources & Special Offer for VADA Members: In collaboration with VADA, ComplyAuto is offering a complimentary, comprehensive 90-day service, including email protection, phishing simulations, FTC Safeguards Rule Compliance, and a 50-state data breach reporting tool. To take advantage of this special offer, please contact Sherryl B. Nens at sherryl@complyauto.com or 661-210-3453.
What is VADA doing to help?
At VADA, we have been working closely with Virginia DMV, which has taken swift action to enable affected CDK/CVR dealers to issue Print-on-Demand temporary tags through other online dealer service providers who have offered support during this challenging time. We expect CDK services to be restored around July 4 and registration and titling services with CVR restored sometime next week, we know you have options for those services and encourage you to work with those service providers.
Contact an alternate online dealer vendor as soon as possible for assistance. One of those is VADA partner Dealertrack. Our contact Kim Haddaway can be reached via email or at 757.985.6940.
Update: July 1
Bottom line: Per NADA, CDK will file a "consolidated breach notification" with the Federal Trade Commission on behalf of dealer clients if the company determines that Federal Notification Requirement is triggered. Thanks to NADA and CDK's joint proposal to the FTC, which was accepted by the agency, dealers have no obligation to file a breach notification related to this matter.
Background: The newly amended FTC Safeguards Rule requires financial institutions (including dealers) to provide an electronic notice to the agency as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information. Questions have arisen concerning whether the security incident reported by CDK on June 19 triggers this requirement.
What does that mean for dealers? Each dealer client of CDK would be required to file a breach notification with the FTC and complete its data fields including (among other entries) the types of information involved in and a summary of the notification event. Because information surrounding the security incident is subject to an internal, ongoing investigation by CDK and therefore is unavailable to CDK’s dealer clients, dealers are unable to determine whether the federal notification requirement has been triggered.
But wait: NADA, in coordination with CDK counsel, proposed to the FTC that the agency permit the company to file a single electronic notice on behalf of all of its affected dealer clients should CDK conclude the notification requirement has been triggered.
What then? In such notice, CDK would complete all of the required data fields based on available information, including the identity of its affected dealer clients. A filing by CDK – or a determination by CDK that the notification requirement has not been triggered – would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.
The FTC has accepted NADA’s proposal. Consequently, dealers have no obligation to file a breach notification with the FTC related to this matter. A dealer can opt out of having CDK handle this matter on its behalf, in which case the dealer would have to file the notification.
However, dealers are reminded that (i) the full range of FTC Safeguards Rule requirements remain in effect, and (ii) every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements.
CDK will communicate directly with its dealer clients related to this matter.
Update: June 28
- VADA external counsel Barrie Charapp Beaty has developed a checklist dealers can use in the wake of an incident like the CDK cyberattack. Get it now.
- NADA has released an update regarding the Federal Notification Requirement and other guidance. It is copied below.
What’s the latest: CDK announced that it brought a small test group of dealers live on the core DMS (accounting parts, service, sales F&I, user management and document management) on June 26 and a second group on June 27, including a large public dealer. CDK also stated that there “are some integration points with OEM systems and third-party partners that may not be live immediately but will be phased in as quickly as possible” and that the company is actively working on bringing back CDK CRM, ONE-EIGHTY, and CDK Service—and they expect Customer Care to go live late afternoon Friday.
NADA continues to communicate with CDK, but company representatives have not confirmed whether any unauthorized parties acquired unencrypted customer information, nor did they provide any other details of the incident.
What you should do: Dealers should be aware that the FTC requires notification to the FTC (not to customers) of the acquisition of unencrypted customer information without authorization involving at least 500 consumers. This must occur “as soon as possible and no later than 30 days after discovery of the event.” While dealers should consult with their legal counsel regarding compliance with this requirement, given the scale of this event NADA staff has been in communication with FTC staff about when notification must be provided to the FTC. At this time, NADA believes that dealers do not need to provide such a notification imminently, and NADA will provide further information as more information is known about this incident. As this could change, NADA has urged CDK to notify dealers promptly if it learns that such information has been compromised.
Separate and apart from the FTC breach notification requirement, every state has a breach-notification statute with its own set of requirements and deadlines, and dealers should consult their legal counsel about necessary steps to ensure compliance with state law.
Additional items for dealers to consider: Dealers should review their compliance with the FTC Safeguards Rule (including the required written information security program) and be aware of recent amendments to the rule that require, among many other elements, encryption of customer information both in transit and at rest, and the establishment of a written incident response plan. Details of the FTC Safeguards Rule are in NADA’s Safeguards Rule Driven guide (below).
Appendix A of the guide contains a draft incident response plan, which includes steps a dealership can take in the event of a security event. Steps include, but are not limited to, the following, and the guide contains significant detail under each heading:
- Securing dealership operations. (p. 51)
- Remediating weaknesses and fixing vulnerabilities. (p. 52)
- Developing a comprehensive communications plan. (p. 53)
- Notifying appropriate parties. (p. 54)
Go deeper: As a reminder, there are several resources to help dealers address data security and regulatory compliance, including:
- NADA Safeguards Rule Driven Guide
- FTC Cybersecurity Basics
- Cybersecurity and Infrastructure Security Agency (CISA) resources
Update: June 27
Get the deck from ComplyAuto outlining the steps dealerships need to be taking after this incident.
Resource Guides
CDK has released a library of documents -- including fixed and variable operations paper forms -- to support sales and service. According to CDK, when services are restored, documents supporting transaction entry into your system will also be available on this website.
ComplyAuto, a VADA partner has developed a resource website with dealer recommendations. ComplyAuto recommends exercising when using CDK systems until they have confirmed they are safe to use, as "bad actors leverage these opportunities to attack connected organizations, which can spread the impact of these even further."
Background: Read the message from NADA to all members on June 20, 2024
CDK Global has shut down all systems because it experienced a “cyber incident.”
Tell me more: Beginning on Wednesday, June 19, CDK Global reported that it had experienced a “cyber incident” that caused it to shut down all systems. On Wednesday afternoon, CDK announced that it restored DMS, Digital Retail, and CDK Phones, including Unify and DMS direct login access, but then experienced another incident late Wednesday evening that caused it again to shut down all systems. CDK cannot estimate how long the outage will last and its customer service is unavailable.
What’s next: NADA is in communication with CDK’s legal office and is seeking additional information about the incident, including whether there has been any unauthorized acquisition of unencrypted customer information. NADA urges its members to consult with counsel concerning any federal or state legal responsibilities it may have related to the incident.
As part of this process, dealers should review their compliance with their full range of responsibilities under the recently-amended FTC Safeguards Rule, which are set forth in NADA’s Driven Guide on the topic. Dealers should pay particular attention to the following requirements contained in the Amended Safeguards Rule:
- The numerous technological requirements including the need to encrypt all customer information held or transmitted by the dealer when in transit over external networks and when at rest;
- The establishment of a written incident response plan that is designed to help a dealer promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the dealership’s control; and
- The need to report “notification events” involving at least 500 consumers to the FTC when there has been an “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”
- If applicable, reporting must take place if the incident occurred in dealer-controlled systems, including those maintained by vendors.
- The notification requirement requires reporting to the FTC only, not to customers.
- This is separate from customer notification or other requirements imposed under state data breach notification laws.
Go deeper: There are several resources to help address data security and regulatory compliance, including:
The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.