Scammers Taking Advantage of CDK Incident
As ComplyAuto previously warned about, CDK customers should be aware of bad actors attempting to take advantage of the CDK incident, including via potential 'bandwagon' phishing attempts. Reports have emerged stating that bad actors are sending communications falsely claiming to be CDK employees who can help get dealerships back online. Dealer employees should be aware of these phishing attempts in order to protect the dealer's accounts and systems from these secondary bandwagon attacks.
Data Breach Reporting Refresher
In this video, ComplyAuto's Brad Miller addresses questions received from numerous dealers about their potential obligations if it is determined that customer data has been breached. Note that as of the time of publication on June 20, 2024, there is not currently any evidence that suggests consumer data was compromised as part of the CDK incident.
Dealer reporting obligations under state and federal law
Here is a brief summary of the points Brad discusses
- Potential reporting under federal regulations
- FTC recently amended the Safeguards Rule to include a requirement to report to the FTC any "notification event" (commonly referred to as a "breach") involving 500 or more customers' unencrypted data as soon as possible, and no later than 30 days after discovery of the event.
- Dealer must report the breach even if it happened at a vendor.
- FTC reports are public information.
- Potential reporting under state law
- Definitions, timeframes, and reporting thresholds differ among the states.
- State laws often require a dealer to provide customer notification, and a dealer may also have to notify a state agency.
(Check out the ComplyAuto breach reporting wizard tool for more information.)
- Business Interruption Insurance Coverage
Dealers whose operations are impacted by the CDK systems being down might consider exploring whether they have business interruption coverage under any of their insurance policies that could provide relief for expenses and losses arising from the interruption in business resulting from the outage. Each insurance policy is different and historically business interruption coverage was associated with physical casualties (e.g., fire damage), but in recent years some cyber insurance policies have included business interruption coverage.