Pub. 14 2024 Issue 3

giving the notice, certain exceptions and other pertinent provisions, are expressly delineated in the Act. A violation of the Act is an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.8 Dealers should review and update their vendor contracts in the wake of the recent cybersecurity incident. Additionally, dealers should ensure their compliance with applicable state and federal laws relating to safeguarding and protecting information and maintain and update their incident response procedures in the event of a future cybersecurity incident. Julie A. Cardosi is principal of the private firm, Law Office of Julie A. Cardosi, P.C., of Springfield, Illinois. She has practiced law for over 38 years and represents the business interests of franchised motor vehicle dealers throughout Illinois. Formerly in-house legal counsel for the Illinois Automobile Dealers Association, she concentrates her private practice in the areas of dealership operations and compliance matters, transfers of ownership, mergers and acquisitions, franchise law, commercial real estate transfers, dealership employment and other areas impacting dayto-day dealership operations. She has also served as former Illinois assistant attorney general and deputy chief of the Consumer Fraud Bureau of the attorney general’s office. The material discussed in this article is for general information only and is not intended as legal advice and should not be acted upon as such. Dealers should consult their own private legal counsel for application to their specific circumstances. For more information, Julie can be reached at jcardosi@autocounsel.com, or at (217) 787-9782 ext. 1. 1. At the time this article was written, July 1, 2024, important details regarding the cyberattack had not been publicly available, including without limitation, information concerning whether dealer customer data was affected. 2. Though a vendor response might not be immediately forthcoming, the dealership should at least document the request for the incident report was made by the dealership. 3. https://illinoisattorneygeneral.gov/Consumer-Protection/For-Businesses/ Data-Breach/ 4. Illinois Personal Information Protection Act, 815 ILCS 530/1 et seq. 5. https://www.ftc.gov/business-guidance/privacy-security/gramm-leachbliley-act/safeguards-rule-form 6. FTC Safeguards Rule, 16 CFR Part 314 7. At the time this article was written, the security incident was under internal investigation by CDK and information regarding the incident was unavailable to dealers who were thus not able to determine whether the notification requirement was triggered. Because of this, NADA advised dealers that it worked with CDK and the FTC to permit CDK to file one electronic notification with the FTC for purposes of the federal Safeguards Rule requirement on behalf of all affected dealers in the event the service provider determines the requirement is triggered under federal law. Dealers can opt out of having CDK in this recent cybersecurity incident from handling this aspect on their behalf in which event the dealer would be required to file its own breach notification if it determined a notification requirement was triggered. 8. 815 ILCS 505/1 et seq (see page 16). 15 Illinois Automobile Dealer News

RkJQdWJsaXNoZXIy MTg3NDExNQ==