In the wake of the CDK Global cyber breach, the automotive industry is facing significant challenges and uncertainties. On June 19, CDK confirmed a “cyber incident” that led to a series of rapid and consequential actions, including shutting down various systems that are critical to dealership operations. This incident has escalated over weeks, revealing that Eastern European hackers allegedly demanded a multimillion-dollar ransom and culminating in reports that CDK may have paid approximately $25 million to end the outage. It is crucial for dealerships to stay informed and take immediate steps to protect their data. This article provides a detailed timeline of the events, an overview of the FTC Safeguards Rule and KPA’s recommendations for navigating this crisis and enhancing your dealership’s data security. CDK CYBER INCIDENT TIMELINE • June 19: CDK confirms “cyber incident,” shuts down customer access to various systems, turns customer access back on and turns customer access off again. • June 20: It is reported that bandwagon hackers are phishing, vishing and smishing dealers while posing as CDK. • June 21: CDK announces that systems will be down for several days, and it is reported by Bloomberg that Eastern European hackers are allegedly demanding a ransom. • June 22: CDK announces it has started the restoration process. CDK identifies this as a “cyber ransom event,” and the first purported class action complaint is filed against CDK. • June 25: CDK notifies dealers that not every dealer will have access restored by June 30, and dealers should look for other options to close month-end. • July 2: CDK announces that the DMS access is substantially restored to customers, and that CDK will make notifications to the FTC (if necessary, unless a dealer opts out). • July 11: CNN reports that CDK likely paid 387 Bitcoins (roughly $25 million) to hackers to end the outage. REPORTING OBLIGATIONS UNDER THE FTC SAFEGUARDS RULE The Federal Trade Commission (FTC) Safeguards Rule provides a framework for dealerships and other financial institutions to protect customer information by requiring them to have certain measures in place to ensure the security and confidentiality of customer records and information. On Oct. 27, 2023, the Federal Trade Commission (FTC) announced a revision to the Safeguards Rule, requiring non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization. This notification requirement went into effect on May 13, 2024, and is in addition to any state notification requirements. ARE YOU REQUIRED TO REPORT THIS INCIDENT TO THE FTC OR OTHERS? Dealership do not know yet since CDK has not revealed exactly what has happened. While it is very likely that the hackers accessed and acquired unencrypted customer information, we do not know the extent to what customer information was accessed. In other words, dealerships have no way of knowing whether their customers’ information was compromised during the CDK cyber incident. While CDK has worked out an agreement with the FTC that would allow CDK to report on behalf of any dealership if that dealership’s customer information was compromised, you should still gather more information before deciding to participate or opting-out. What will CDK’s message to the FTC state? Will the dealership have any obligations to follow up on requests from the FTC? Will CDK indemnify the dealers for any mistakes or errors? Additionally, states have their own notification laws, and the agreement between CDK and FTC does not address those state-level requirements. Regardless, if you have not already done so, you should notify your insurance company and put them on notice Navigating the CDK Cyber Incident Immediate Actions and Long-Term Security Strategies BY KPA 8
RkJQdWJsaXNoZXIy ODQxMjUw