Pub. 5 2024 Special Edition

2. Insurance Dealers should review their insurance policies to determine if they have the correct coverage, specifically policies on cyber insurance, cyberattacks and business interruption. Dealers need to understand what is and is not covered under their policies. Dealers also need to understand when claims need to be filed. If you have questions about your policies and what is covered, speak to your insurance agent or carrier. 3. Letter to Vendor If a vendor is breached, dealers need to know what happened in the breach. Dealers need to know: (i) whether the data kept by vendor was encrypted, (ii) if encrypted, whether the encryption key was breached, (iii) whether the dealer’s records were accessed and part of the breach, and (iv) if so, the number of dealer records affected. Specifically, dealers need to ask whether their customer data was encrypted, accessed and part of the breach. Some states, such as Virginia, provide statutory rights to dealers to get that information from the manufacturer. Va. Code 18.2-186.6(D) states: An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person. 4. Addendum to the Vendor Agreement for Compliance With the Safeguards Rule As part of your requirements under the Safeguards Rule, dealers need addendums to their vendor agreements that state that the vendor maintains the dealer’s customer data in compliance with the Safeguards Rule. You should have a form document that the vendors sign that states they will comply with the Safeguards Rule, the information held by the vendor is encrypted, the information is owned by the dealer, the information is maintained only as permitted by the law (state and federal) and as long as you have a business relationship, and that vendor will protect the information. Dealers should have addendums on hand as they consider new vendor agreements and review all current vendor agreements and/or addendums to ensure compliance with the Safeguards Rule. 5. Data Security Dealers should ensure that their systems have security in place and run tests frequently to ensure no malware or virus has impacted their systems. Dealers should be speaking with their IT providers to ensure all safety protocols are in place. 6. Customer Information Breach Protocols Under Federal and State Law Your written security program and plan pursuant to the Safeguards Rule should outline the procedures that should be taken in the event of a breach. The Safeguards Rule requires dealers to file a notice (within 30 days of discovery of the event) with the FTC in the event of a data breach occurrence impacting 500 or more customers. For the recent CDK attack, NADA, CDK and the FTC worked out an agreement that in the event the attack resulted in a breach that would trigger notice to the FTC, CDK will file on behalf of the dealers. However, dealers need to know that for any future breaches, the obligation to provide notice to the FTC is theirs. Additionally, your state may have notification requirements to customers for data breaches. If you use the NADA Safeguards Policy, there is a form customer notification letter that you can conform to your dealership in the event of a data breach that triggers customer notification. For the CDK attack, there has been limited information on the breach and whether it triggered a customer notification would be dependent on your state’s law. Dealers need to consult with their attorneys regarding the need for any notification for data breaches related to customer information, and what those notifications should look like. The automotive industry works on 30-day cycles. Most dealers are up and running after the CDK breach and those that were not affected just had a big sigh of relief that it wasn’t their dealership. However, now is not the time to sit idly by until another breach occurs, because it’s only a matter of time before the next cyberattack occurs. Make sure your processes are in place to ensure the next event has the least effect on your dealership. vada.com 13

RkJQdWJsaXNoZXIy MTg3NDExNQ==