July 17, 2024
By Barrie Charapp Beaty
Charapp & Weiss, LLP
bbeaty@cwattorneys.com
The hottest news of the year in the car industry was unfortunately the fact that CDK had a cyberattack that had dealers without a DMS system for weeks. There are still so many unanswered questions and the true effects on the dealers are still unknown. Dealers persevered, as always, and adapted by handwriting deals and taking care of the customers because Dealers adapt to any adversity thrown at them. It was a true testament of how dealers need to embrace modern technology while also savoring the need to know the old standard of selling vehicles…pen and paper!
This article does not ponder what those dealers affected by the CDK outage should do, rather it’s a wakeup call for every dealer. What happened to CDK is not unique to CDK, and it happens to large and small companies on a daily basis. For those reasons, we write this article to identify steps you can take to be ready for the next cyberattack.
Safeguards Policy
By law, your dealership must be Safeguards Rule compliant. This requires a Safeguards Policy to ensure that your dealership has the correct procedures in place. We highly recommend the NADA’s policy, “A Dealer Guide to the FTC Safeguards Rule,” as a template that should be geared towards your dealership. As required in the Safeguards Policy, your organization should have a data breach protocol in place, including who should be in charge in the event of a data breach.
Insurance
Dealers should review their insurance policies to determine if they have the correct coverage, specifically policies on cyber insurance, cyberattacks and business interruption. Dealers need to understand what is and is not covered under their policies. Dealers also need to understand when claims need to be filed. If you have questions about your policies and what is covered, speak to your insurance agent or carrier.
Letter to Vendor
If a vendor is breached, dealers need to know what happened in the breach. Dealers need to know: (i) whether the data kept by vendor was encrypted, (ii) if encrypted, whether the encryption key was breached, (iii) whether the dealer’s records were accessed and part of the breach, and (iv) if so, the number of dealer records affected. Specifically, dealers need to ask whether their customer data was encrypted, accessed and part of the breach.
Some states, such as Virginia, provide statutory rights to dealers to get that information from the manufacturer. Va. Code 18.2-186.6(D) states:
"An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person."
Addendum to the Vendor Agreement for compliance with the Safeguards Rule
As part of your requirements under the Safeguards Rule, Dealers need addendums to their vendor agreements that state that the vendor maintains the dealer’s customer data in compliance with the Safeguards Rule. You should have a form document that the vendors sign that states they will comply with the Safeguards Rule, the information held by the vendor is encrypted, the information is owned by the Dealer, the information is maintained only as permitted by the law (state and federal) and as long as you have a business relationship, and that vendor will protect the information. Dealers should have addendums on hand as they consider new vendor agreements and review all current vendor agreements and/or addendums to ensure compliance with the Safeguards Rule.
Data Security
Dealers should ensure that their systems have security in place and run tests frequently to ensure no malware or virus has impacted their systems. Dealers should be speaking with their IT providers to ensure all safety protocols are in place.
Customer Information Breach Protocols under Federal and State Law
Your written security program and plan pursuant to the Safeguards Rule should outline the procedures that should be taken in the event of a breach.
The Safeguards Rule requires dealers to file a notice (within 30 days of discovery of the event) with the FTC in the event of a data breach occurrence impacting 500 or more customers. For the recent CDK attack, NADA, CDK and the FTC worked out an agreement that in the event the attack resulted in a breach that would trigger notice to the FTC, CDK will file on behalf of the dealers. However, dealers need to know that for any future breaches, the obligation to provide notice to the FTC is theirs.
Additionally, your state may have notification requirements to customers for data breaches. If you use the NADA Safeguards Policy, there is a form customer notification letter that you can conform to your dealership in the event of a data breach that triggers customer notification. For the CDK attack, there has been limited information on the breach and whether it triggered a customer notification would be dependent on your state’s law.
Dealers need to consult with their attorneys regarding the need for any notification for data breaches related to customer information, and what those notifications should look like.
The automotive industry works on 30-day cycles. Most dealers are up and running after the CDK breach and those that were not affected just had a big sigh of relief that it wasn’t their dealership. However, now is not the time to sit idly by until another breach occurs, because it’s only a matter of time before the next cyber-attack occurs. Make sure your processes are in place to ensure the next event has the least effect on your dealership.