DEALERS REQUIRE PROMPT AND DETAILED INFORMATION FROM VENDORS In situations like this, rapid communication is essential. Both federal and state notification requirements impose aggressive timing mandates. Dealers must inform affected consumers as quickly as possible — in most cases, within 30 days. These timelines are designed to serve the statutes’ fundamental purpose: alerting consumers that their data is at risk and enabling them to take protective measures. To meet these requirements, dealers need prompt answers to the following questions: 1. What happened? (At minimum, a general description of the incident) 2. Was the data encrypted when accessed? This is a critical threshold question in almost all jurisdictions. 3. Does the vendor know, with reasonable certainty, the scope of affected data? 4. Were dealer systems compromised? Could they have been? 5. What specific data was impacted? (Names, addresses, Social Security numbers, etc.) Each state has different rules regarding which data elements trigger notification requirements. 6. How many of your dealership’s customers were affected? Who are they? This presents a unique challenge with vendor breaches, where customer data from multiple dealers often resides in a single database. Dealers need to know right away what happened and which of their customers were affected, or may have been affected, to fulfill their notification obligations and determine whether specific legal thresholds have been met. DEALERS MUST EXERCISE DUE DILIGENCE IN VENDOR SELECTION AND OVERSIGHT Remember as well that while dealers may outsource to technology vendors, dealers remain responsible for the activity of those vendors and must follow certain processes when selecting and overseeing vendors. Dealers are responsible for: • Conducting thorough due diligence when selecting vendors; • Establishing contracts that clearly define vendors’ data protection responsibilities and breach cooperation obligations; and • Monitoring vendors to ensure promised protections are implemented and maintained While these practices must be established before a breach occurs, when incidents do happen, dealers should use them as opportunities to evaluate the breach’s impact, assess the vendor’s response, and consider implications for the ongoing relationship. DEALERS MUST INCORPORATE VENDOR BREACH CONSIDERATIONS INTO INFORMATION SECURITY PLANS The FTC Safeguards Rule requires dealers to create comprehensive plans ensuring that sensitive personal data is protected, whether maintained in internal systems or at vendor locations. When a breach occurs at a vendor, dealers must evaluate the implications for their data security posture. This evaluation should include: • Understanding the nature and cause of the breach; • Obtaining assurances that the vulnerability has been fully remediated; and • Assessing whether the vendor presents an unreasonable ongoing risk to data security Dealers should document these assurances from the affected vendor and include this analysis in their annual board reports to demonstrate proper due diligence in vendor management. Use this incident as an important opportunity to comprehensively review your current vendor relationships, particularly those involving third-party integrations. COMPLYAUTO RESOURCES AND SUPPORT ComplyAuto’s Privacy solution provides comprehensive tools to address these challenges, including: • 50-State Breach Notification Wizard: Navigate complex federal and state-specific requirements, whether the incident occurs at a vendor or at the dealership, using the only tool of its kind in the industry • Vendor Management Tools: Properly oversee and document third-party relationships, including the critical contract amendments and oversight required for all vendors • Policy Management: Maintain current, compliant policies • Annual Board Reporting: Fulfill Safeguards Rule documentation requirements • Staff Training: Ensure your team understands their obligations • State Privacy Law Compliance: Address evolving state-level requirements, including those under the New Jersey Privacy Act (NJPA) • Online Tracking Technology Tools: Manage litigation risks and maintain full compliance at the federal and state levels For dealers not currently using ComplyAuto Privacy, contact ComplyAuto today to partner with the dealership compliance experts and the endorsed provider of NJ CAR for dealership privacy compliance. This article is provided for informational purposes and does not constitute legal advice. Dealers should consult with qualified legal counsel regarding their specific obligations and circumstances. 23 NEW JERSEY auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==