The recent widely publicized security incident at CDK has brought breach response issues to the front of dealers’ minds. (The most recent press accounts suggest that the incident may involve ransomware.) As we know, dealers rely heavily on third-party vendors for various services, from customer relationship management systems to financial processing. When a vendor experiences a security incident, it can obviously have far-reaching operational implications for the dealerships they serve. But it also raises important legal and regulatory issues for dealers as well. This article outlines key legal and regulatory considerations auto dealers should consider in the immediate aftermath of such an incident.
Incident Assessment
The first step is to assess the scope and potential impact of the vendor’s security incident. This can be difficult, especially in the first hours and days after the event. Even for systems a business fully controls, this is a complicated and difficult process — and those difficulties are magnified when the incident occurs at a third-party service provider that you do not fully control.
Unfortunately, that reality does not relieve dealers from potential time-sensitive obligations, nor does it necessarily provide any additional time to meet those obligations. Dealers are responsible for their data — even when it is processed elsewhere and/or by a service provider. Dealers are the regulated entity — the data “controller;” the “financial institution;” the data “owner” — under relevant federal and state law, and they need to take action to ensure that they are meeting their obligations.
In the event of a cybersecurity incident that could impact dealer data, dealers should, at a minimum:
- Request a detailed incident report from the vendor.
- Seek to determine what dealership data may have been compromised.
- Evaluate potential risks to customers, employees and business operations.
While the dealer may not be able to obtain a detailed incident report right away (indeed, one may not even be available), it is important that they ask and that they do so as soon as practicable. As outlined below, state and federal notice obligations are all time-sensitive, and while a dealer should not be expected to obtain answers to questions if they are not yet available, they cannot do nothing. Making this formal request (and documenting it) is a good starting point.
Potential Notice Obligations
Asking for incident information is step one, but what happens if you do learn that dealership customer information may have been involved? Depending on the nature of what you learn, this may trigger several critical legal obligations, including potential notice responsibilities. Dealers may have legal obligations to notify:
- Affected individuals (customers and employees) under state breach notification laws.
- Regulatory bodies.
- State attorneys general (or other state agency) under state law.
- The Federal Trade Commission under federal law.
- Law enforcement agencies.
For each of these scenarios, timely notification is critical. For example, the recently enacted Safeguards Rule reporting requirement requires that dealers notify the FTC “as soon as possible and no later than 30 days” after discovery of a “notification event.” A notification event is the unauthorized acquisition of unencrypted customer information of 500 or more consumers.
Importantly, the FTC has indicated that dealers (as the regulated entities under the Rule) are still responsible for ensuring that the FTC is appropriately notified — even if the event occurred at a service provider.
A key consideration here is “discovery,” and the FTC provides little clear guidance on when exactly discovery takes place. In the context of a publicly revealed event at a service provider, when does discovery occur so that the “clock” starts ticking? It’s far from clear, but in its commentary, the Commission seems to distinguish discovery of an incident and a determination that the incident involved 500 or more consumers.
The FTC states that it “expects that companies will be able to decide quickly whether a notification event has occurred by determining whether unencrypted customer information has been acquired and, if so, how many consumers are affected, so there will not be a significant difference between ‘determination’ [of whether a notification event has occurred] and ‘discovery’ [of the incident].”
What does that mean in the context of the June 2024 CDK incident?
Again, this is far from clear, but it does suggest that “discovery” may occur when an incident is first “discovered” — even if, at that time, you have not determined that consumer information was involved. Again, this supports the argument that dealers should be reaching out now to CDK to determine whether any of their customer information was involved in the incident.
It is also important to note that the new FTC reporting requirement puts the burden of proof on the dealer. It states that “[u]nauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” So there is an open question about what level of proof dealers will need from CDK (or any other vendor) to meet this “reliable evidence” standard, but it is clear that some evidence will be required.
State Law Notification Requirements
In contrast to federal law, all 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted breach notification laws. Unlike the federal law, which requires notice to the FTC, these laws generally require businesses to notify affected individuals when their personal information has been compromised. These notice requirements are tied to the residency of individual consumers. Therefore, compliance with these obligations requires an analysis of the specific customers whose information has been breached.
Timing
Many states require notification “as expeditiously as possible and without unreasonable delay,” with others including an outer time limit such as “no later than 30 [45, 60] days.” The state laws vary in determining when these time periods start. They also differ from the Safeguards Rule in terms of the type of information that they cover (generally tied to SSNs, credit card numbers, account numbers, etc.)
State notifications typically must include a description of the incident, types of information compromised and steps individuals can take to protect themselves. Most states allow written notice, with some permitting electronic notification under certain circumstances. Many states require notification to the state attorney general or other state regulatory bodies if the breach affects a certain number of residents.
It’s crucial to note that requirements can vary significantly between states. For instance:
- California’s law applies to a broader range of data types than many other states.
- Some states, like Massachusetts, require specific security measures in addition to notification.
- New York’s SHIELD Act expanded the definition of private information and broadened the scope of businesses subject to its requirements.
Given these variations, auto dealers operating across multiple states must be prepared to comply with a patchwork of requirements.
Other Important Steps Dealers May Consider
Dealers should review their current vendor contracts to understand:
- The vendor’s contractual obligations regarding data security and breach notification.
- Indemnification clauses and liability limitations.
- Requirements for the vendor’s incident response and cooperation.
- Requirements for the vendor to cooperate with and produce information to the dealer about actual or suspected breaches.
If these provisions are not currently available, dealers should work with their attorneys to add adequate language in all relevant agreements.
Insurance Issues
Dealers whose business operations are interrupted may also want to evaluate whether they have business interruption coverage under any of their insurance policies that may provide coverage for losses sustained due to a breach. Such coverage might exist under property/casualty and/or cyber insurance policies.
Customer Relations and Reputation Management
While not strictly a legal consideration, maintaining customer trust is crucial. Dealers should:
- Develop a clear communication strategy for affected customers.
- Consider whether they will offer appropriate remediation services (e.g., credit monitoring).
- A number of state breach notification laws may require this to be offered with the notice.
- Be prepared to address customer concerns and potential complaints.
Regulatory Investigations, Enforcement and Litigation Risk
Dealers and their counsel should also be prepared for potential state or federal regulatory investigations. Remember that the stated purpose for the FTC Safeguards notification requirement is to assist the Commission in enforcing the Safeguards Rule against financial institutions that report. In other words, you have to tell the FTC there was an issue so that they can enforce the Rule against you.
Dealers, working with counsel, should maintain thorough documentation of the incident response process and all communications with the vendor, affected individuals and regulatory bodies.
Dealers should consider consulting with their attorney in the early phases of determining whether a breach has occurred and determining an appropriate response due to the complex legal issues implicated. Dealers and their counsel need to plan early in the process to take steps to protect the attorney-client privilege in the course of their investigation and response.
Of course, there will be a heightened risk of potential litigation related to the incident, which makes this documentation and privilege protection even more critical.
Ongoing Compliance and Security Enhancements
In the aftermath of an incident, dealers should:
- Reassess their vendor management practices.
- Enhance internal security measures.
- Update incident response plans.
- Consider cybersecurity insurance options.
Remember that in addition to the new notice requirements, the FTC Safeguards Rule requires financial institutions to develop and implement an incident response plan (IRP). In the event of a vendor security incident, following this plan is crucial. In addition, dealers should consider updating their IRP after an incident to reflect lessons learned from the incident.
Lessons Learned?
What should all dealers (including non-CDK dealers) learn in the context of this incident? Preparation is key. In addition to reviewing and updating contracts, dealers should work now to ensure that their incident response plan is updated and effective. Dealers should also consider establishing a business continuity plan that could be put into place in the event of a future cyber incident to ensure the ability to continue operations in as uninterrupted a manner as possible.
Dealers should also take the time to double down on their efforts to fully comply with the Safeguards Rule, including oversight of service providers. While dealers often cannot control what happens at a vendor, they can (and are required to) conduct due diligence in selecting vendors, ensure that their contracts are compliant and that they are taking steps to ensure that vendors are taking required cybersecurity steps under the Safeguards Rule as well as under many state laws.
It’s important to note that while having a plan is crucial, its effectiveness lies in regular testing, updating and employee familiarity with the procedures. Auto dealers should conduct periodic tabletop exercises or simulations to ensure their incident response and business continuity plans remain practical and effective.
Sources
- This memorandum was drafted on June 21, 2024, at the time it was drafted the CDK “cybersecurity incident” was publicly revealed, but no details about the event have been shared publicly that would allow dealers to determine whether any of their customer data was affected by the incident.
- See https://www.autonews.com/retail/cdk-global-cyberattack-hackers-want-millions-end-outage; and https://www.bloomberg.com/news/articles/2024-06-21/cdk-hackers-want-millions-in-ransom-to-end-car-dealership-outage?srnd=homepage-americas.
- Including instances where encrypted information is accessed along with the encryption key.
- 88 Fed. Reg. 77502 (2023).
- 16 CFR § 314.2(m).
- The ComplyAuto Safeguards Rule template Information Security Program materials include a sample customer notification letter. However, these letters could have legal significance and should be reviewed by legal counsel.
- ComplyAuto has developed a Breach Notifications Analysis Tool that will guide dealers (and their counsel) through these difficult distinctions and decisions.
Upcoming Informative Webinar
August 14 at 11 a.m. EST
All in Compliance: Mastering New Regs and Legal Challenges in 2024
ComplyAuto will share important cookie consent and online privacy policy updates, the recent FTC Safeguards Amendment and Data Breach Reporting Requirements, as well as an update on the FTC “CARS Rule.”
Register at nhada.com/training.