By Mark Sanborn
Senior Product and Regulatory Counsel
Fact: Current users of CDK services are thrilled that their systems have been largely restored, but dealers still need to determine whether the incident had any impact on their consumer data, how CDK intends to prevent a future incident from occurring, and how the dealer will handle business interruption issues – not only those that arose from the incident, but to be prepared for any future issues that may arise.
Fiction: Now that the CDK services have been restored, dealers can put the CDK ransomware incident behind them and not change any practices or take any further steps to protect themselves or their customers.
Hey there Compliance Connoisseurs! Today we are talking about whether current and former users of CDK services can put the recent CDK ransomware incident behind them, or if there is still work to do. (Spoiler: there’s still work to do.)
For those who’ve been living under a rock this past month, catch up on the June 2024 CDK systems ransomware incident here, or just Google “CDK” – you’ll have enough reading material to last you through beach season.
Now, while current CDK users are doing happy dances about getting back to business, there are still some compliance and practical loose ends that need tying up. Even former CDK users aren’t off the hook. Let’s break it down:
1. Was Consumer Data Compromised?
Over a month post-incident, and CDK’s still mum on whether consumer data was compromised. They’ve only confirmed an FTC agreement allowing them to notify on dealers’ behalf–if a notification is necessary under GLBA. That’s nice, but dealers still need to know a lot more to go forward. Not only because they could be on the hook for state-level breach notifications, but also so they know the status of their customers’ data. For state law reporting, most states have reporting deadlines, and the clock is ticking. Dealers should be reaching out to CDK and consulting their attorneys about state notification obligations.
ComplyAuto Privacy Customers, we’ve got your back: Check out our 50-state data breach reporting wizard to get a handle on potential reporting obligations that may be applicable in the states you operate in or where your customers reside.
Moreover, your customers could be concerned and you need to know the facts so you can tell them what happened, what risks they may face, and to assure them that you are taking the necessary steps to protect them going forward. Hopefully, you have a media and communications plan in place to address consumer concerns. Even if you haven’t, you should be thinking about what, if anything, you may need to do to restore trust with your customer base.
2. Former CDK Users’ Ghosts of CDK Past:
Thought you dodged a bullet by jumping ship on CDK pre-ransomware? Not so fast. If CDK still had your data, you might be in the splash zone. You’ll want to confirm whether consumer data was compromised, just like current users. If your data was still hanging out in CDK’s systems, you might be affected too. See item 1 above for more information.
3. CDK’s Future-Proofing (and Yours):
Remember the GLBA Safeguards Rule? It’s showtime for dealer oversight of service providers, which is required under the Safeguards Rule.1 This includes:
- Engaging service providers capable of maintaining appropriate safeguards
- Requiring contractual implementation of these safeguards
- Periodically assessing service providers based on risk and safeguard adequacy
Post-CDK ransomware incident, dealers need to make sure CDK still has the chops to protect customer info. Dealers need assurances and proof that CDK can still reliably meet the requirements to protect customer information under the Safeguards Rule. This assessment process is important for the dealer’s own GLBA compliance, too.
This is also prime time for dealers to evaluate their vulnerabilities. Keep using those cybersecurity tools (like the ones offered by ComplyAuto), ensure they’re properly configured, and respond to the findings. We’ve seen a surge in penetration testing post-CDK incident – that’s a good sign (but don’t forget to remediate as well)! And time to re-stress phishing training, too. Over 90% of cyber attacks involve phishing – don’t be a statistic! Again, ComplyAuto can help.
Also, you should (indeed you are required to) update your Safeguards Rule Information Security Plan based on lessons learned from the CDK incident and any insights from your vulnerability assessments and penetration testing. You will likely want to include those items in your annual reports as well.
4. Business Interruption:
As we mentioned before, you should check your insurance policies for coverage of business losses related to the CDK incident. While you’re at it, create or update your business continuity plan. Because if there’s one thing we’ve learned, it’s that you need a Plan B (and C, and D…). Document how you’ll keep operations running if systems, networks, or physical locations become unavailable. Stay tuned for more on crafting a solid business continuity plan in an upcoming newsletter, and for some ComplyAuto tools to help.
5. Data Retention Reality Check:
For all CDK users (past and present), it’s time to scrutinize those data retention policies and contractual terms, especially for data stored with third parties. When your relationship with a vendor ends, make sure you know who’s keeping what, for how long, and why. When ending a vendor relationship, consider how to obtain a copy of your data for continued use and obligations to ensure the vendor doesn’t retain data longer than necessary. This will involve both contractual and IT/business logistical considerations.
While the immediate CDK crisis may be cooling down, the compliance heat is still on. Stay vigilant, stay informed, and maybe invest in a good stress ball. Remember, staying compliant is a journey, not a destination. You’ve got this![/vc_column_text][us_separator show_line=”1″][vc_column_text css=”%7B%22default%22%3A%7B%22font-size%22%3A%220.8em%22%7D%7D”]1 16 C.F.R. 314.4(f).