top of page
Search
Writer's pictureJulie A. Cardosi

State and Federal Regulatory Compliance Considerations for Dealers– Looking Ahead in the Wake of the Vendor Cyber Security Incident

Dealerships in Illinois and throughout the nation were recently impacted by the cyber security incident of third-party service provider, CDK Global, bringing dealership operations to a halt for a time - with aftershocks of that attack still looming weeks later.[1]  Affected dealerships adapted to the incident by resorting to pen and paper, as opposed to relying on their DMS systems, for so many aspects of their automotive businesses.  

 

In addition to working through logistical and operational problems from the incident, dealers must assess their legal obligations for compliance with applicable state and federal laws. It is imperative that affected dealerships evaluate the scope and effect of this cyber incident and determine their compliance obligations.  Just because the incident was directed at a third-party vendor, does not alleviate a dealership’s responsibility for compliance.

 

Dealerships utilize such vendors for a range of operational services from customer relational management systems (CRMs) to transactional and financial processing services and more. Despite  reliance on the third party for these services, dealerships are responsible for their data and are the regulated entity under applicable laws. This means that dealerships have certain obligations following such a cyber incident. At a minimum, affected dealerships should obtain an incident report from the vendor[2] and determine what, if any, dealership data may have been compromised which includes evaluating the potential impact on customer and employee information.

 

After determining whether dealership data was involved, certain state and federal notice and other requirements may be triggered. Dealers may have to give notice within specific time periods to customers, employees, regulatory agencies including the Illinois Attorney General’s Office[3] under state breach notification laws [4] and the Federal Trade Commission (FTC)[5] under federal law[6].

 

Under the amended FTC Safeguards Rule, financial institutions – which includes dealers – must provide electronic notice to the FTC as soon as possible and not later than 30 days after discovery of a notification event involving the information of at least 500 consumers. An unauthorized acquisition of unencrypted customer information is a “notification event” under the Rule. If the Rule’s notification requirement was triggered, each dealer may be required to file a breach notification with the FTC. However, as the recent incident is under internal investigation, the National Association of Auto Dealers (NADA) arranged for a filing accommodation with the FTC for dealers if the notification requirement under the Rule is triggered.[7]  There are still a wide range of FTC Safeguard Rule requirements to which dealerships must adhere, and the NADA arrangement would not apply to state breach notification requirements.

 

The Illinois Personal Information Protection Act (Act) would require dealerships to provide notice of a breach to the Illinois Attorney General’s Office (if required to notify more than 500 Illinois residents), in addition to providing notification to the affected Illinois residents, following discovery or notification of the breach or unauthorized acquisition of computerized data that compromises the security of the personal information maintained by the dealership. The notice, as well as the “personal information” definition, timing, contents and methods for giving the notice, certain exceptions, and other pertinent provisions, are expressly delineated in the Act. A violation of the Act is an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. [8]

 

Dealers should review and update their vendor contracts in the wake of the recent cyber security incident. Additionally, dealers should ensure their compliance with applicable state and federal laws relating to safeguarding and protecting information and maintain and update their incident response procedures in the event of a future cyber security incident.


 


[1] At the time this article was written, July 1, 2024, important details regarding the cyberattack had not been publicly available, including without limitation, information concerning whether dealer customer data was affected.  

[2] Though a vendor response might not be immediately forthcoming, the dealership should at least document the request for the incident report was made by the dealership. 

[4] Illinois Personal Information Protection Act, 815 ILCS 530/1 et seq.

[6] FTC Safeguards Rule, 16 CFR Part 314

[7] At the time this article was written, the security incident was under internal investigation by CDK and information regarding the incident was unavailable to dealers who were thus not able to determine whether the notification requirement was triggered. Because of this, NADA advised dealers that it worked with CDK and the FTC to permit CDK to file one electronic notification with the FTC for purposes of the federal Safeguards Rule requirement on behalf of all affected dealers in the event the service provider determines the requirement is triggered under federal law. Dealers can opt out of having CDK in this recent cybersecurity incident from handling this aspect on their behalf in which event the dealer would be required to file its own breach notification if it determined a notification requirement was triggered.

[8] 815 ILCS 505/1 et seq.

 

 

 

 

 

 

 

 

 

 

 

 

 

3 views0 comments

Comments


bottom of page