CDK has recently announced that, if it is determined that any notifications under state breach notification laws are required, CDK will provide the notifications on behalf of affected dealers, unless they opt out.
New Jersey’s Data Breach Notification law requires notification to any customer whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. Like the FTC Data Breach rule, under New Jersey’s law, the affected personal information must be unencrypted. Before notification is made to the customer, the State Police must be first notified.
NJ CAR has previously notified dealers that CDK had obtained the permission from the FTC to file a consolidated notice on behalf of all affected dealer clients, if determination is made that the reporting requirements under the FTC Safeguards Rule has been triggered. This would alleviate the burden on dealerships to potentially file individual notices. Unless affected dealers opt out, they would not need to file notices with the FTC regarding CDK’s June 19 security incident.
As of July 30, 2024, CDK continues to work with leading third-party experts and has not determined that any personally identifiable information (PII) was impacted. In its initial notice to the FTC on July 17, 2024, CDK stated that “CDK’s investigation into the security incident is ongoing. At present, the number of consumers potentially affected, if any, is unknown. The Company will provide a supplemental submission and/or follow up with Staff once more information is known.”
The takeaway here is that CDK dealers are in a holding pattern. Upon the completion of the CDK investigation, if it is determined that any reporting or notice requirements under the FTC Safeguards Rule or any state data breach notification laws has been triggered, CDK will update dealerships on next steps.
That trigger communication from CDK will advise dealers of the notification process, including how they may opt out and make individual notifications under the FTC Data Breach Rule and New Jersey’s Data Breach Notification Law.
If dealers have questions about this topic or any other questions, they should contact Greyson P. Hannigan, NJ CAR’s Director of Legal & Regulatory Affairs, at (609) 883-5056 – ext. 340 or, via email, at [email protected].