As discussed on several occasions the CDK cyber incident could trigger, among other duties, the obligation for affected dealers to notify the FTC regarding the incident pursuant to the Federal Safeguards Rule.
To date, CDK has not provided any details sufficient for dealers to determine whether the conditions that would require notice (unauthorized acquisition of 500 or more unencrypted consumer records) have been met, and CDK is reportedly still undertaking an internal investigation to make that determination.
It was announced that the FTC and CDK have agreed that should CDK’s internal investigation reveal that a notice is required, that CDK will issue one omnibus notice to the FTC covering the incident, and that notice would relieve each CDK dealer’s obligation to independently notify the FTC. Indeed, according to NADA, the FTC has stated that “dealers have no obligation to file a breach notification with the FTC related to this matter.”
While this is good news, dealers should take note of several important additional issues:
First, while this appears to relieve dealers of an independent reporting obligation under the FTC Safeguards Rule, it does not relieve dealers of their obligations under the Safeguards Rule generally. Dealers should review ComplyAuto guidance materials, and their own Safeguards policies to ensure that all required steps under the Safeguards Rule are followed, adjustments and updates are made, and any changes are implemented.
Second, this does NOT affect dealers’ independent obligations to notify consumers or agencies under state data breach notification laws. Dealers still urgently need information to allow them to meet those obligations, should they arise.
ComplyAuto has several tools to assist in that process:
(1) ComplyAuto customers, working with their counsel, can access the ComplyAuto CDK letter template seeking the information required under state law;
(2) ComplyAuto dealers can also use the ComplyAuto State Data Breach Analysis and Notification Tool to assist with those notices, should they be required, and;
(3) ComplyAuto dealers have access to a sample state breach notice letter as part of the ComplyAuto information security program templates.
This announcement by the FTC is good news for dealers, but dealers should consult with their attorneys to ensure that they are not unexpectedly impacted by any remaining federal obligations, and should continue to seek all information needed from CDK to determine the next steps under state law.
We're pleased to share the following resources to assist you in navigating your response to this incident:
- A comprehensive checklist to guide your response to the CDK incident.
- ComplyAuto customers received a template letter to customize and send to CDK, requesting more detailed information about the incident.
- Access to a state law citation chart, which you can use to incorporate relevant legal references into your letter.
We encourage you to review these materials carefully and consider how they may apply to your specific situation. Please note that while we've prepared these resources to support you, we strongly recommend consulting with your legal counsel before sending any formal communications to CDK.
NHADA has several partners who offer legal services to members, including:
Be sure to check out the resource center as we have a lot of information on cybersecurity and what dealers should do after such an event.
