CDK Update: PII & Promise to Fulfill State Breach Notice Requirements
CDK has issued a statement to its dealers with an update on the June 19, 2024 security incident, as well as state and federal breach reporting obligations arising from that incident.
PARTNER SPOTLIGHT
F & I/Aftermarket Products, Insurance, Automotive Technology Training & Compliance
A NHADA Diamond PARTNERDealer Management System, Computer Technology, Media/Advertising, Automotive Auction, F & I/Aftermarket Products, Automotive Technology Training & Compliance
A NHADA Platinum PARTNERComputer Technology, Automotive Shop Equipment, Environmental Services
A NHADA Platinum PARTNERF & I/Aftermarket Products, Automotive Technology Training & Compliance, Environmental Services
A NHADA Diamond PARTNERKey takeaways:
- Today, all major CDK applications are available, and third-party integrations are almost completely restored
- As of now, NO DETERMINATION that any PII was “impacted” by the security incident - but an investigation continues
- Reiterated commitment to file FTC notice on behalf of their affected dealers
- Reported that they did file an initial notice to the FTC on July 17, 2024
- Promised to meet state data breach reporting requirements on behalf of dealers, if necessary
CDK included the following details on each of these items:
- Status Update
“[A]ll major applications - including the Dealer Management System (DMS), CDK Service, and CDK CRM – are available, and the restoration of all OEM and third-party integrations is nearly complete.” - No Determination that PII was “Impacted”
2.1 CDK “has been actively investigating” whether there was any “unauthorized access” to personally identifiable information in connection with the event
2.2 “As of now, CDK has not determined that any PII was impacted”
2.3 But “the investigation is ongoing” - Breach Reporting Commitment - Federal (FTC Safeguards Rule)
3.1 CDK reiterated its previous (July 1) announcement that it “has obtained permission from the FTC to file a consolidated notice on behalf of all of our affected dealer clients, should we determine that the reporting requirement under the FTC Safeguards Rule has been triggered.”And that “[a]s a result, individual dealers will not need to file notices with the FTC regarding CDK’s June 19 security incident unless you opt out.”
3.2 Further, CDK stated that on July 17, 2024, they, “provided an initial notice to the FTC.” The initial notice states that “CDK’s investigation into the security incident is ongoing. At present, the number of consumers potentially affected, if any, is unknown. The Company will provide a supplemental submission and/or follow up with Staff once more information is known.”
3.3 CDK promised to provide further information to the FTC on behalf of its dealers if needed. - Breach Reporting Commitment - State Data Breach Law Notices
4.1 CDK stated that it will, “take the same approach as we did regarding the FTC Safeguards Rule notice” regarding our dealer customers’ potential notice obligations under state data breach notification law.
4.2 CDK then promised that if their investigation leads them to determine that, “any notifications under state breach notification laws (such as notices to state Attorneys General or to consumers) are required, CDK will provide the notifications on behalf of affected dealers unless you opt-out.”
Lastly, CDK promised to update dealers and follow up on the logistics of the notification process, should any notice be required, and to provide further updates as they continue their investigation.
Additional Info:
ComplyAuto CDK Resource Center
Upcoming Training:
All-in Compliance: Mastering New Regs and Legal Challenges in 2024
ComplyAuto Webinar, August 14th at 11 AM | Register Now