CDK will handle FTC notification for its cyber incident, but dealers still face other Safeguards Rule and state-level data breach obligations.
As ComplyAuto has discussed on several occasions, the CDK cyber incident could trigger, among other duties, the obligation for affected dealers to notify the FTC regarding the incident under the federal Safeguards Rule.
To date, CDK has not provided any details sufficient for dealers to determine whether the conditions that would require notice (unauthorized acquisition of 500 or more unencrypted consumer records) have been met, and CDK is reportedly still undertaking an internal investigation to make that determination.
Yesterday, it was announced that the FTC and CDK have agreed that should CDK’s internal investigation reveal that a notice is required, that CDK will issue one omnibus notice to the FTC covering the incident, and that notice would relieve each CDK dealer’s obligation to independently notify the FTC. Indeed, according to NADA, the FTC has stated that “dealers have no obligation to file a breach notification with the FTC related to this matter.”
While this is good news, dealers should take note of several important additional issues:
Automotive parking light Cloud Vision care Automotive lighting Hood Goggles Eye glass accessory Eyewear Automotive mirror Orange
First, while this appears to relieve dealers of an independent reporting obligation under the FTC Safeguards Rule, it does not relieve dealers of their obligations under the Safeguards Rule generally. Dealers should review ComplyAuto guidance materials, and their own Safeguards policies to ensure that all required steps under the Safeguards Rule are followed, adjustments and updates are made, and any changes are implemented.
Second, this does NOT affect dealers’ independent obligations to notify consumers or agencies under state data breach notification laws. Dealers still urgently need information to allow them to meet those obligations, should they arise. ComplyAuto has several tools to assist in that process:
ComplyAuto customers, working with their counsel, can access the ComplyAuto CDK letter template seeking the information required under state law.
ComplyAuto dealers can also use the ComplyAuto State Data Breach Analysis and Notification Tool to assist with those notices, should they be required.
ComplyAuto dealers have access to a sample state breach notice letter as part of the ComplyAuto information security program templates.
This announcement by the FTC is good news for dealers, but dealers should consult with their attorneys to ensure that they are not unexpectedly impacted by any remaining federal obligations, and should continue to seek all information needed to determine next steps under state law.
1 Dealers should consult with counsel to ensure that this meets any such obligations, and may want to consider written assurance from CDK in relation to this reporting obligation.