LEGAL AND REGULATORY CONSIDERATIONS FOR AUTO DEALERS IN THE WAKE OF A VENDOR SECURITY INCIDENT BY BRAD MILLER CHIEF COMPLIANCE/REGULATORY OFFICER, COMPLYAUTO, NHADA DIAMOND PARTNER The recent widely publicized security incident at CDK has brought breach response issues to the front of dealers’ minds. (The most recent press accounts suggest that the incident may involve ransomware.) As we know, dealers rely heavily on third-party vendors for various services, from customer relationship management systems to financial processing. When a vendor experiences a security incident, it can obviously have far-reaching operational implications for the dealerships they serve. But it also raises important legal and regulatory issues for dealers as well. This article outlines key legal and regulatory considerations auto dealers should consider in the immediate aftermath of such an incident. INCIDENT ASSESSMENT The first step is to assess the scope and potential impact of the vendor’s security incident. This can be difficult, especially in the first hours and days after the event. Even for systems a business fully controls, this is a complicated and difficult process — and those difficulties are magnified when the incident occurs at a third-party service provider that you do not fully control. Unfortunately, that reality does not relieve dealers from potential time-sensitive obligations, nor does it necessarily provide any additional time to meet those obligations. Dealers are responsible for their data — even when it is processed elsewhere and/or by a service provider. Dealers are the regulated entity — the data “controller;” the “financial institution;” the data “owner” — under relevant federal and state law, and they need to take action to ensure that they are meeting their obligations. In the event of a cybersecurity incident that could impact dealer data, dealers should, at a minimum: • Request a detailed incident report from the vendor. • Seek to determine what dealership data may have been compromised. • Evaluate potential risks to customers, employees and business operations. While the dealer may not be able to obtain a detailed incident report right away (indeed, one may not even be available), it is important that they ask and that they do so as soon as practicable. As outlined below, state and federal notice obligations are all time-sensitive, and while a dealer should not be expected to obtain answers to questions if they are not yet available, they cannot do nothing. Making this formal request (and documenting it) is a good starting point. POTENTIAL NOTICE OBLIGATIONS Asking for incident information is step one, but what happens if you do learn that dealership customer information may have been involved? Depending on the nature of what you learn, this may trigger several critical legal obligations, including potential notice responsibilities. Dealers may have legal obligations to notify: • Affected individuals (customers and employees) under state breach notification laws. • Regulatory bodies. » State attorneys general (or other state agency) under state law. » The Federal Trade Commission under federal law. • Law enforcement agencies. For each of these scenarios, timely notification is critical. For example, the recently enacted Safeguards Rule reporting requirement requires that dealers notify the FTC “as soon as possible and no later than 30 days” after discovery of a “notification event.” A notification event is the unauthorized acquisition of unencrypted customer information of 500 or more consumers. 12
RkJQdWJsaXNoZXIy MTg3NDExNQ==