Importantly, the FTC has indicated that dealers (as the regulated entities under the Rule) are still responsible for ensuring that the FTC is appropriately notified — even if the event occurred at a service provider. A key consideration here is “discovery,” and the FTC provides little clear guidance on when exactly discovery takes place. In the context of a publicly revealed event at a service provider, when does discovery occur so that the “clock” starts ticking? It’s far from clear, but in its commentary, the Commission seems to distinguish discovery of an incident and a determination that the incident involved 500 or more consumers. The FTC states that it “expects that companies will be able to decide quickly whether a notification event has occurred by determining whether unencrypted customer information has been acquired and, if so, how many consumers are affected, so there will not be a significant difference between ‘determination’ [of whether a notification event has occurred] and ‘discovery’ [of the incident].” What does that mean in the context of the June 2024 CDK incident? Again, this is far from clear, but it does suggest that “discovery” may occur when an incident is first “discovered” — even if, at that time, you have not determined that consumer information was involved. Again, this supports the argument that dealers should be reaching out now to CDK to determine whether any of their customer information was involved in the incident. It is also important to note that the new FTC reporting requirement puts the burden of proof on the dealer. It states that “[u]nauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” So there is an open question about what level of proof dealers will need from CDK (or any other vendor) to meet this “reliable evidence” standard, but it is clear that some evidence will be required. State Law Notification Requirements In contrast to federal law, all 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted breach notification laws. Unlike the federal law, which requires notice to the FTC, these laws generally require businesses to notify affected individuals when their personal information has been compromised. These notice requirements are tied to the residency of individual consumers. Therefore, compliance with these obligations requires an analysis of the specific customers whose information has been breached. Timing Many states require notification “as expeditiously as possible and without unreasonable delay,” with others including an outer time limit such as “no later than 30 [45, 60] days.” The state laws vary in determining when these time periods start. They also differ from the Safeguards Rule in terms of the type of information that they cover (generally tied to SSNs, credit card numbers, account numbers, etc.) State notifications typically must include a description of the incident, types of information compromised and steps individuals can take to protect themselves. Most states allow written notice, with some permitting electronic notification under certain circumstances. Many states require notification to the state attorney general or other state regulatory bodies if the breach affects a certain number of residents. It’s crucial to note that requirements can vary significantly between states. For instance: • California’s law applies to a broader range of data types than many other states. • Some states, like Massachusetts, require specific security measures in addition to notification. • New York’s SHIELD Act expanded the definition of private information and broadened the scope of businesses subject to its requirements. Given these variations, auto dealers operating across multiple states must be prepared to comply with a patchwork of requirements. OTHER IMPORTANT STEPS DEALERS MAY CONSIDER Dealers should review their current vendor contracts to understand: • The vendor’s contractual obligations regarding data security and breach notification. • Indemnification clauses and liability limitations. • Requirements for the vendor’s incident response and cooperation. • Requirements for the vendor to cooperate with and produce information to the dealer about actual or suspected breaches. If these provisions are not currently available, dealers should work with their attorneys to add adequate language in all relevant agreements. Insurance Issues Dealers whose business operations are interrupted may also want to evaluate whether they have business interruption coverage under any of their insurance policies that may provide coverage for losses sustained due to a breach. Such 13
RkJQdWJsaXNoZXIy MTg3NDExNQ==