Lessons from the 700Credit Data Breach Understanding Dealer Obligations When Vendor Systems Are Compromised by BRAD MILLER, Chief Executive Officer, ComplyAuto BACKGROUND In December 2025, 700Credit confirmed that a data breach occurred within its systems between May and October 2025, affecting dealer customer data. The breach resulted in the unauthorized exposure of unencrypted personal information, including names, addresses and Social Security numbers, to third parties. According to 700Credit, the breach occurred when a third-party API (Application Programming Interface) was improperly exposed, allowing unauthorized access to sensitive data. The data was reportedly encrypted when stored, but because the third party obtained the API key, it was exposed to third parties in an unencrypted manner. FUNDAMENTAL DEALER OBLIGATIONS FOR DATA BREACHES Unfortunately, the automotive retail industry — like many sectors — has experienced numerous large-scale data breaches in recent months. This incident serves as an important reminder of dealers’ core legal obligations: Under federal and state law, dealers must: • Protect customer data maintained in their systems; • Preserve the privacy of customer information; and • Provide required notifications when breaches occur When a breach of customer data occurs, dealers have a federal duty to notify the Federal Trade Commission (FTC), as well as any state law obligations to notify affected consumers, state agencies, and other specified parties. For comprehensive information on related compliance requirements, visit www.complyauto.com for resources on the FTC Safeguards Rule, FTC Privacy Rule, New Jersey Data Privacy Act, and state data breach notification laws. UNIQUE CHALLENGES WHEN BREACHES OCCUR AT VENDOR SYSTEMS A critical complicating factor in this incident is that the breach occurred not within dealer-controlled systems, but at a third-party vendor. This distinction raises several important considerations for dealers. Dealers Retain Notification Obligations — Even When Breaches Occur at Vendors The FTC and all 50 states have enacted data breach notification laws, though they differ significantly. Many ComplyAuto dealers have utilized the ComplyAuto Data Breach Wizard to navigate their jurisdiction-specific legal obligations. This comprehensive tool guides users through potential federal requirements and obligations across all states. Critical Principle: In all cases, the dealer — not the vendor — bears the ultimate obligation to notify the FTC, state attorneys general, and affected consumers. However, vendors may handle these notifications on behalf of dealers if the vendor agrees to assume this responsibility. For agency notices, the relevant state and federal agencies permit the third party to file notices on the dealer’s behalf. When vendors send notices on dealers’ behalf, the communications should generally reflect that the dealer is issuing the notice. In other words, notifications should be sent “from the dealership”, even when the vendor manages distribution. Additionally, important distinctions may exist between consumer notices and those issued by the attorney general or a state agency. During this breach incident, dealers in different states had varying experiences with state agencies. Some attorneys general permitted 700Credit to file notices on dealers’ behalf, while others declined or only agreed after intervention from state automobile trade associations. 22 NEW JERSEY auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==