As reported in previous communications, the FTC Safeguards Rule was recently amended to require financial institutions (including dealers) to provide an electronic notice to the FTC as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers. A notification event is the unauthorized acquisition of unencrypted customer information.
Questions have arisen concerning whether the security incident reported by CDK on June 19 triggers this requirement. If it does, each dealer client of CDK would be required to file a breach notification with the FTC and complete its data fields including (among other entries) the types of information involved in and a summary of the notification event.
Because information surrounding the security incident is subject to an internal, ongoing investigation by CDK and therefore is unavailable to CDK’s dealer clients, dealers are unable to determine whether the federal notification requirement has been triggered.
Accordingly, NADA, in coordination with CDK counsel, proposed to the FTC that the FTC permit CDK to file a single electronic notice on behalf of all of its affected dealer clients should CDK conclude, based on its internal investigation of the incident, that the notification requirement has been triggered.
In such notice, CDK would complete all of the required data fields based on available information, including the identity of its affected dealer clients. A filing by CDK – or a determination by CDK that the notification requirement has not been triggered – would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.
The FTC has accepted NADA’s proposal. Consequently, dealers have no obligation to file a breach notification with the FTC related to this matter.**
However, Dealers are reminded that (i) the full range of FTC Safeguards Rule requirements remain in effect, and (ii) every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements. Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements.
CDK will communicate directly with its dealer clients related to this matter.
– – –
** A dealer can opt out of having CDK handle this matter on its behalf in which case the dealer will have to file a breach notification if the dealer determines that a notification event has occurred.
Download Bulletin PDF