What is LADA doing?
In the wake of the recent cyber attack on CDK, LADA has been in touch with NADA, Louisiana's Congressional Delegation, the Louisiana OMV, the Louisiana Attorney General's Office, and other various stakeholders. Many of our LADA associate members and endorsed providers are ready and available to support affected dealerships during this difficult time.
Contact an alternate vendor as soon as possible for assistance.
Resource Guides
- CDK Dealer Resource Center | According to CDK, when services are restored, documents supporting transaction entry into your system will also be available on this website.
- KPA Data Security Resource Hub | LADA's endorsed safety & compliance provider has created a resource hub for dealers affected by the CDK outage.
- KPA Webinar Recording | CDK's Cyber Incident: The Dealer's Insurance and Compliance Obligations
- ComplyAuto CDK Incident Resource Center
- Article: Returning to the CDK Environment: Actions Your Dealership Should Consider (Forvis Mazars)
CDK Update to Dealers 7/30/24
Source: CDK Global
After the CDK cyber security incident that occurred on June 19, 2024, CDK has worked tirelessly to restore service. Currently all major applications - including the Dealer Management System (DMS), CDK Service and CDK CRM – are available, and the restoration of all OEM and third-party integrations is nearly complete.
We recognize the concerns you may have regarding any unauthorized access to any personally identifiable information (“PII”). We have been actively investigating the issue with the assistance of leading third-party experts. As of now, CDK has not determined that any PII was impacted.
While the investigation is ongoing, we want to address your concerns about your potential obligations to comply with the regulatory reporting and notification requirements under the Federal Trade Commission (FTC) Safeguards Rule and state breach notification laws.
- Notice under FTC Safeguards Rule. We previously informed you on July 1, 2024, that in order to alleviate the burden on our dealer customers of potentially filing individual notices, CDK has obtained the permission from the FTC to file a consolidated notice on behalf of all of our affected dealer clients, should we determine that the reporting requirement under the FTC Safeguards Rule has been triggered. As a result, individual dealers will not need to file notices with the FTC regarding CDK’s June 19 security incident unless you opt out.
On July 17, 2024, CDK provided an initial notice to the FTC. The initial notice states that “CDK’s investigation into the security incident is ongoing. At present, the number of consumers potentially affected, if any, is unknown. The Company will provide a supplemental submission and/or follow up with Staff once more information is known.” If our investigation into the incident indicates that the reporting requirement under the Safeguards Rule has been triggered and additional information needs to be provided to the FTC, CDK will provide it on behalf of affected dealers. - Notices under State Laws. Regarding our dealer customers’ potential notice obligations under state data breach notification law, we will take the same approach as we did regarding the FTC Safeguards Rule notice. If based on our investigation we determine that any notifications under state breach notification laws (such as notices to state Attorneys General or to consumers) are required, CDK will provide the notifications on behalf of affected dealers unless you opt out.
- Logistics and What to Expect. Upon the completion of our investigation, if we determine that any reporting or notice requirements under the FTC Safeguards Rule or any state data breach notification laws has been triggered, we will update you and follow up regarding the logistics of the notification process, including how you may opt out if you don’t wish CDK to handle such reporting or notice on your behalf.
We hope that our approach will alleviate some of the regulatory burden on you. We appreciate your continued patience and understanding as we continue our investigation, and we will provide further updates as soon as is practicable.
Other LADA vendor contacts
More from LADA
Federal Regulatory Perspective: The FTC mandates that any unauthorized acquisition of unencrypted customer information involving at least 500 consumers must be reported to the FTC (not the customers). This notification must occur “as soon as possible and no later than 30 days after discovery of the event.” While dealers should consult with their legal counsel regarding compliance with this requirement, given the scale of this event NADA staff has been in communication with FTC staff about when notification must be provided to the FTC. At this time, NADA believes that dealers do not need to provide such a notification imminently, and NADA will provide further information as more information is known about this incident. As this could change, NADA has urged CDK to notify dealers promptly if it learns that such information has been compromised.
State Law Perspective: Louisiana’s “Database Security Breach Notification” law (Louisiana Revised Statutes 51:3071 et seq.) requires notifying customers if unencrypted customer information is acquired without authorization. This notification must happen “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach.” A copy of Louisiana’s Database Security Breach Notification statute can be found here.
La. Admin. Code tit. 16, § III-701 - Reporting Requirements
A. When notice to Louisiana citizens is required pursuant to R.S. 51:3074, the person or agency shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all Louisiana citizens affected by the breach.
B. Failure to provide timely notice may be punishable by a fine not to exceed $5,000 per violation. Notice to the attorney general shall be timely if received within 10 days of distribution of notice to Louisiana citizens. Each day notice is not received by the attorney general shall be deemed a separate violation.
C. Written notification shall be mailed to:
Louisiana Department of Justice
Office of the Attorney General
Consumer Protection Section
1885 N. Third Street
Baton Rouge, LA 70802
Current Reporting Issue: There is a challenge with reporting because we have not received enough detail from CDK. The critical question that CDK must answer before a determination can be made relative to the above reporting requirements is: Was any customer data actually accessed by the hackers? As of now, we have no evidence of this happening. But only CDK can confirm whether the intrusion extended to customer data at any particular dealership. CDK needs to provide this information, and rest assured, we, along with NADA, are actively working to get an answer to this crucial question.
The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.
State Law Perspective: Louisiana’s “Database Security Breach Notification” law (Louisiana Revised Statutes 51:3071 et seq.) requires notifying customers if unencrypted customer information is acquired without authorization. This notification must happen “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach.” A copy of Louisiana’s Database Security Breach Notification statute can be found here.
La. Admin. Code tit. 16, § III-701 - Reporting Requirements
A. When notice to Louisiana citizens is required pursuant to R.S. 51:3074, the person or agency shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all Louisiana citizens affected by the breach.
B. Failure to provide timely notice may be punishable by a fine not to exceed $5,000 per violation. Notice to the attorney general shall be timely if received within 10 days of distribution of notice to Louisiana citizens. Each day notice is not received by the attorney general shall be deemed a separate violation.
C. Written notification shall be mailed to:
Louisiana Department of Justice
Office of the Attorney General
Consumer Protection Section
1885 N. Third Street
Baton Rouge, LA 70802
Current Reporting Issue: There is a challenge with reporting because we have not received enough detail from CDK. The critical question that CDK must answer before a determination can be made relative to the above reporting requirements is: Was any customer data actually accessed by the hackers? As of now, we have no evidence of this happening. But only CDK can confirm whether the intrusion extended to customer data at any particular dealership. CDK needs to provide this information, and rest assured, we, along with NADA, are actively working to get an answer to this crucial question.
The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.
07/01/2024 - NADA
CDK to File a Consolidated Breach Notification with the FTC on Behalf of its Dealer Clients if CDK Determines that the Federal Notification Requirement is Triggered
As reported in previous communications, the FTC Safeguards Rule was recently amended to require financial institutions (including dealers) to provide an electronic notice to the FTC as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information.
Questions have arisen concerning whether the security incident reported by CDK on June 19 triggers this requirement. If it does, each dealer client of CDK would be required to file a breach notification with the FTC and complete its data fields including (among other entries) the types of information involved in and a summary of the notification event.
Because information surrounding the security incident is subject to an internal, ongoing investigation by CDK and therefore is unavailable to CDK’s dealer clients, dealers are unable to determine whether the federal notification requirement has been triggered.
Accordingly, NADA, in coordination with CDK counsel, proposed to the FTC that the FTC permit CDK to file a single electronic notice on behalf of all of its affected dealer clients should CDK conclude, based on its internal investigation of the incident, that the notification requirement has been triggered.
In such notice, CDK would complete all of the required data fields based on available information, including the identity of its affected dealer clients. A filing by CDK – or a determination by CDK that the notification requirement has not been triggered – would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.
The FTC has accepted NADA’s proposal. Consequently, dealers have no obligation to file a breach notification with the FTC related to this matter.**
However, dealers are reminded that (i) the full range of FTC Safeguards Rule requirements remain in effect, and (ii) every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements.
CDK will communicate directly with its dealer clients related to this matter.
- - -
** A dealer can opt out of having CDK handle this matter on its behalf in which case the dealer will have to file a breach notification if the dealer determines that a notification event has occurred.
The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.
CDK to File a Consolidated Breach Notification with the FTC on Behalf of its Dealer Clients if CDK Determines that the Federal Notification Requirement is Triggered
As reported in previous communications, the FTC Safeguards Rule was recently amended to require financial institutions (including dealers) to provide an electronic notice to the FTC as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information.
Questions have arisen concerning whether the security incident reported by CDK on June 19 triggers this requirement. If it does, each dealer client of CDK would be required to file a breach notification with the FTC and complete its data fields including (among other entries) the types of information involved in and a summary of the notification event.
Because information surrounding the security incident is subject to an internal, ongoing investigation by CDK and therefore is unavailable to CDK’s dealer clients, dealers are unable to determine whether the federal notification requirement has been triggered.
Accordingly, NADA, in coordination with CDK counsel, proposed to the FTC that the FTC permit CDK to file a single electronic notice on behalf of all of its affected dealer clients should CDK conclude, based on its internal investigation of the incident, that the notification requirement has been triggered.
In such notice, CDK would complete all of the required data fields based on available information, including the identity of its affected dealer clients. A filing by CDK – or a determination by CDK that the notification requirement has not been triggered – would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.
The FTC has accepted NADA’s proposal. Consequently, dealers have no obligation to file a breach notification with the FTC related to this matter.**
However, dealers are reminded that (i) the full range of FTC Safeguards Rule requirements remain in effect, and (ii) every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements.
CDK will communicate directly with its dealer clients related to this matter.
- - -
** A dealer can opt out of having CDK handle this matter on its behalf in which case the dealer will have to file a breach notification if the dealer determines that a notification event has occurred.
The foregoing is offered for informational purposes only and is not intended as legal advice. Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.
NADA All-Dealer e-mails from June 20, June 21, June 25, and June 28:
- CDK Cyber Incident Update: The Federal Notification Requirement and Other Important Guidance
- CDK Cyber Incident – What Dealers Need to Know When They Are Back Online
- CDK Cyber Incident Serves as a Reminder to Dealers to Protect Data and Systems
- CDK Cyber Incident Update: Continuing Outage and Additional Guidance