Dealerships in Illinois and throughout the nation were recently impacted by the cybersecurity incident of third-party service provider, CDK Global, bringing dealership operations to a halt for a time — with aftershocks of that attack still looming weeks later.1 Affected dealerships adapted to the incident by resorting to pen and paper, as opposed to relying on their DMS systems, for so many aspects of their automotive businesses.
In addition to working through logistical and operational problems from the incident, dealers must assess their legal obligations for compliance with applicable state and federal laws. It is imperative that affected dealerships evaluate the scope and effect of this cyber incident and determine their compliance obligations. Just because the incident was directed at a third-party vendor, does not alleviate a dealership’s responsibility for compliance.
Dealerships utilize such vendors for a range of operational services from customer relational management systems (CRMs) to transactional and financial processing services and more. Despite reliance on the third party for these services, dealerships are responsible for their data and are the regulated entity under applicable laws. This means that dealerships have certain obligations following such a cyber incident. At a minimum, affected dealerships should obtain an incident report from the vendor2 and determine what, if any, dealership data may have been compromised, which includes evaluating the potential impact on customer and employee information.
After determining whether dealership data was involved, certain state and federal notice and other requirements may be triggered. Dealers may have to give notice within specific time periods to customers, employees, regulatory agencies including the Illinois attorney general’s office3 under state breach notification laws4 and the Federal Trade Commission (FTC)5 under federal law.6
Under the amended FTC Safeguards Rule, financial institutions — which includes dealers — must provide electronic notice to the FTC as soon as possible and not later than 30 days after discovery of a notification event involving the information of at least 500 consumers. An unauthorized acquisition of unencrypted customer information is a “notification event” under the Rule. If the Rule’s notification requirement was triggered, each dealer may be required to file a breach notification with the FTC. However, as the recent incident is under internal investigation, the National Association of Auto Dealers (NADA) arranged for a filing accommodation with the FTC for dealers if the notification requirement under the Rule is triggered.7 There are still a wide range of FTC Safeguard Rule requirements to which dealerships must adhere, and the NADA arrangement would not apply to state breach notification requirements.
The Illinois Personal Information Protection Act (Act) would require dealerships to provide notice of a breach to the Illinois Attorney General’s Office (if required to notify more than 500 Illinois residents), in addition to providing notification to the affected Illinois residents, following discovery or notification of the breach or unauthorized acquisition of computerized data that compromises the security of the personal information maintained by the dealership. The notice, as well as the “personal information” definition, timing, contents and methods for giving the notice, certain exceptions and other pertinent provisions, are expressly delineated in the Act. A violation of the Act is an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.8
Dealers should review and update their vendor contracts in the wake of the recent cybersecurity incident. Additionally, dealers should ensure their compliance with applicable state and federal laws relating to safeguarding and protecting information and maintain and update their incident response procedures in the event of a future cybersecurity incident.
Julie A. Cardosi is principal of the private firm, Law Office of Julie A. Cardosi, P.C., of Springfield, Illinois. She has practiced law for over 38 years and represents the business interests of franchised motor vehicle dealers throughout Illinois. Formerly in-house legal counsel for the Illinois Automobile Dealers Association, she concentrates her private practice in the areas of dealership operations and compliance matters, transfers of ownership, mergers and acquisitions, franchise law, commercial real estate transfers, dealership employment and other areas impacting day-to-day dealership operations. She has also served as former Illinois assistant attorney general and deputy chief of the Consumer Fraud Bureau of the attorney general’s office. The material discussed in this article is for general information only and is not intended as legal advice and should not be acted upon as such. Dealers should consult their own private legal counsel for application to their specific circumstances. For more information, Julie can be reached at jcardosi@autocounsel.com, or at (217) 787-9782 ext. 1.
- At the time this article was written, July 1, 2024, important details regarding the cyberattack had not been publicly available, including without limitation, information concerning whether dealer customer data was affected.
- Though a vendor response might not be immediately forthcoming, the dealership should at least document the request for the incident report was made by the dealership.
- https://illinoisattorneygeneral.gov/Consumer-Protection/For-Businesses/Data-Breach/
- Illinois Personal Information Protection Act, 815 ILCS 530/1 et seq.
- https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act/safeguards-rule-form
- FTC Safeguards Rule, 16 CFR Part 314
- At the time this article was written, the security incident was under internal investigation by CDK and information regarding the incident was unavailable to dealers who were thus not able to determine whether the notification requirement was triggered. Because of this, NADA advised dealers that it worked with CDK and the FTC to permit CDK to file one electronic notification with the FTC for purposes of the federal Safeguards Rule requirement on behalf of all affected dealers in the event the service provider determines the requirement is triggered under federal law. Dealers can opt out of having CDK in this recent cybersecurity incident from handling this aspect on their behalf in which event the dealer would be required to file its own breach notification if it determined a notification requirement was triggered.
- 815 ILCS 505/1 et seq (see page 16).