Pub. 6 2024 Issue 4

coverage might exist under property/casualty and/or cyber insurance policies. CUSTOMER RELATIONS AND REPUTATION MANAGEMENT While not strictly a legal consideration, maintaining customer trust is crucial. Dealers should: • Develop a clear communication strategy for affected customers. • Consider whether they will offer appropriate remediation services (e.g., credit monitoring). » A number of state breach notification laws may require this to be offered with the notice. • Be prepared to address customer concerns and potential complaints. REGULATORY INVESTIGATIONS, ENFORCEMENT AND LITIGATION RISK Dealers and their counsel should also be prepared for potential state or federal regulatory investigations. Remember that the stated purpose for the FTC Safeguards notification requirement is to assist the Commission in enforcing the Safeguards Rule against financial institutions that report. In other words, you have to tell the FTC there was an issue so that they can enforce the Rule against you. Dealers, working with counsel, should maintain thorough documentation of the incident response process and all communications with the vendor, affected individuals and regulatory bodies. Dealers should consider consulting with their attorney in the early phases of determining whether a breach has occurred and determining an appropriate response due to the complex legal issues implicated. Dealers and their counsel need to plan early in the process to take steps to protect the attorney-client privilege in the course of their investigation and response. Of course, there will be a heightened risk of potential litigation related to the incident, which makes this documentation and privilege protection even more critical. ONGOING COMPLIANCE AND SECURITY ENHANCEMENTS In the aftermath of an incident, dealers should: • Reassess their vendor management practices. • Enhance internal security measures. • Update incident response plans. • Consider cybersecurity insurance options. Remember that in addition to the new notice requirements, the FTC Safeguards Rule requires financial institutions to develop and implement an incident response plan (IRP). In the event of a vendor security incident, following this plan is crucial. In addition, dealers should consider updating their IRP after an incident to reflect lessons learned from the incident. Lessons Learned? What should all dealers (including non-CDK dealers) learn in the context of this incident? Preparation is key. In addition to reviewing and updating contracts, dealers should work now to ensure that their incident response plan is updated and effective. Dealers should also consider establishing a business continuity plan that could be put into place in the event of a future cyber incident to ensure the ability to continue operations in as uninterrupted a manner as possible. Dealers should also take the time to double down on their efforts to fully comply with the Safeguards Rule, including oversight of service providers. While dealers often cannot control what happens at a vendor, they can (and are required to) conduct due diligence in selecting vendors, ensure that their contracts are compliant and that they are taking steps to ensure that vendors are taking required cybersecurity steps under the Safeguards Rule as well as under many state laws. It’s important to note that while having a plan is crucial, its effectiveness lies in regular testing, updating and employee familiarity with the procedures. Auto dealers should conduct periodic tabletop exercises or simulations to ensure their incident response and business continuity plans remain practical and effective. UPCOMING INFORMATIVE WEBINAR August 14 at 11 a.m. EST All in Compliance: Mastering New Regs and Legal Challenges in 2024 ComplyAuto will share important cookie consent and online privacy policy updates, the recent FTC Safeguards Amendment and Data Breach Reporting Requirements, as well as an update on the FTC “CARS Rule.” Register at nhada.com/training. Sources 1. This memorandum was drafted on June 21, 2024, at the time it was drafted the CDK “cybersecurity incident” was publicly revealed, but no details about the event have been shared publicly that would allow dealers to determine whether any of their customer data was affected by the incident. 2. See https://www.autonews.com/retail/cdk-global-cyberattack-hackerswant-millions-end-outage; and https://www.bloomberg.com/news/ articles/2024-06-21/cdk-hackers-want-millions-in-ransom-to-end-cardealership-outage?srnd=homepage-americas. 3. Including instances where encrypted information is accessed along with the encryption key. 4. 88 Fed. Reg. 77502 (2023). 5. 16 CFR § 314.2(m). 6. The ComplyAuto Safeguards Rule template Information Security Program materials include a sample customer notification letter. However, these letters could have legal significance and should be reviewed by legal counsel. 7. ComplyAuto has developed a Breach Notifications Analysis Tool that will guide dealers (and their counsel) through these difficult distinctions and decisions. 14

RkJQdWJsaXNoZXIy MTg3NDExNQ==