Counselor’s Corner State and Federal Regulatory Compliance Considerations for Dealers Looking Ahead in the Wake of the Vendor Cybersecurity Incident Dealerships in Illinois and throughout the nation were recently impacted by the cybersecurity incident of third-party service provider, CDK Global, bringing dealership operations to a halt for a time — with aftershocks of that attack still looming weeks later.1 Affected dealerships adapted to the incident by resorting to pen and paper, as opposed to relying on their DMS systems, for so many aspects of their automotive businesses. In addition to working through logistical and operational problems from the incident, dealers must assess their legal obligations for compliance with applicable state and federal laws. It is imperative that affected dealerships evaluate the scope and effect of this cyber incident and determine their compliance obligations. Just because the incident was directed at a third-party vendor, does not alleviate a dealership’s responsibility for compliance. Dealerships utilize such vendors for a range of operational services from customer relational management systems (CRMs) to transactional and financial processing services and more. Despite reliance on the third party for these services, dealerships are responsible for their data and are the regulated entity under applicable laws. This means that dealerships have certain obligations following such a cyber incident. At a minimum, affected dealerships should obtain an incident report from the vendor2 and determine what, if any, dealership data may have been compromised, which includes evaluating the potential impact on customer and employee information. After determining whether dealership data was involved, certain state and federal notice and other requirements may be triggered. Dealers may have to give notice within specific time periods to customers, employees, regulatory agencies including the Illinois attorney general’s office3 under state breach notification laws4 and the Federal Trade Commission (FTC)5 under federal law.6 Under the amended FTC Safeguards Rule, financial institutions — which includes dealers — must provide electronic notice to the FTC as soon as possible and not later than 30 days after discovery of a notification event involving the information of at least 500 consumers. An unauthorized acquisition of unencrypted customer information is a “notification event” under the Rule. If the Rule’s notification requirement was triggered, each dealer may be required to file a breach notification with the FTC. However, as the recent incident is under internal investigation, the National Association of Auto Dealers (NADA) arranged for a filing accommodation with the FTC for dealers if the notification requirement under the Rule is triggered.7 There are still a wide range of FTC Safeguard Rule requirements to which dealerships must adhere, and the NADA arrangement would not apply to state breach notification requirements. The Illinois Personal Information Protection Act (Act) would require dealerships to provide notice of a breach to the Illinois Attorney General’s Office (if required to notify more than 500 Illinois residents), in addition to providing notification to the affected Illinois residents, following discovery or notification of the breach or unauthorized acquisition of computerized data that compromises the security of the personal information maintained by the dealership. The notice, as well as the “personal information” definition, timing, contents and methods for BY JULIE CARDOSI, ESQ. LAW OFFICE OF JULIE A. CARDOSI, P.C. 14 Illinois Automobile Dealer News
RkJQdWJsaXNoZXIy MTg3NDExNQ==