The June 2024 ransomware attack on CDK disrupted dealership operations nationwide. For nearly two weeks, many dealers could not process sales, repair orders or routine management tasks. Staff resorted to pen-and-paper record keeping. Transactions stalled, warranty submissions backed up and communication with manufacturers slowed. Anderson Economic Group later estimated that dealers suffered more than $1 billion in direct losses during the outage. The event underscored a reality every dealer knows: The Dealer Management System (DMS) is not a back-office tool; it is the backbone of the business. Manufacturers require dealers to maintain a DMS for reporting new vehicle sales, warranty claims and service work. Dealers depend on it for financial reporting, payroll, inventory tracking and customer communications. The DMS also houses sensitive information, like customer contact details, Social Security numbers, financial records and other confidential business data. Because of the sensitivity of this information, both federal and state laws impose privacy and security obligations. Dealers and their vendors must use reasonable safeguards to protect records and, if records are compromised, comply with notification and reporting requirements to regulators and affected consumers. Recognizing how central the DMS is to compliance, some states adopted dealer protection statutes. These statutes confirm that dealers own their data, require vendors to maintain safeguards and prohibit contractual terms that prevent dealers from meeting their obligations under privacy laws. Even with these protections, many dealers learned after the CDK event that their contracts left them exposed. Typical provisions include: • Liability limits that cap damages at the cost of services. For a dealer, this means the vendor’s liability for a weeks-long outage may equal little more than the monthly fee, while the dealer bears the financial and reputational harm. • Termination fees that impose heavy costs if a dealer seeks to move to another provider, even after a significant outage. • Gaps in coverage for compliance costs. Dealers may have to pay for consumer notices, regulatory filings and third-party claims, even if the trigger was a cyber event affecting the vendor. To be clear, most DMS providers strive to maintain secure systems and strong contractual relationships. However, the lessons of 2024 highlight the need for dealers to evaluate contracts and coverage with care. Dealer Management Systems Lessons From a Cyberattack By Scali Rasmussen PRACTICAL STEPS FOR DEALERS Dealers can take several steps to reduce future risk: 1. Negotiate liability provisions. Push to eliminate broad limitations of liability or, at a minimum, carve out business interruption losses tied to outages outside the dealer’s control. 2. Expand indemnity clauses. Ensure the contract requires the vendor to cover costs associated with regulatory compliance, consumer notices and third-party claims linked to a vendor cyber event. 3. Secure termination rights. Add language confirming that a significant outage or compromise of data constitutes a material breach that allows early termination without penalty. 4. Review insurance coverage. Cyber and business interruption insurance should cover primary losses and secondary costs like forensic investigations, customer communications and reputational repair. 5. Establish a response plan. Work with counsel to create a playbook for how the dealership will respond to vendor-related outages, including communication with staff, customers and regulators. NCDA.COM 17
RkJQdWJsaXNoZXIy ODQxMjUw