CDK issues update on security incident
No determination that PII was impacted
Promise to fulfill state breach notice requirements
Yesterday, CDK issued a statement to its dealers with an update on the June 19, 2024, security incident, as well as state and federal breach reporting obligations arising from that incident.
Key takeaways:
Today, all major CDK applications are available, and third-party integrations are almost completely restored. As of now, no determination has been made that any personally identifiable information (PII) was “impacted” by the security incident – but an investigation continues. CDK reiterated its commitment to file FTC notices on behalf of their affected dealers. They reported filing an initial notice to the FTC on July 17, 2024. The company promised to meet state data breach reporting requirements on behalf of dealers if necessary.
CDK included the following details on each of these items:
Status Update
“All major applications – including the Dealer Management System (DMS), CDK Service, and CDK CRM – are available, and the restoration of all OEM and third-party integrations is nearly complete.”
No Determination that PII was “Impacted”
CDK “has been actively investigating” whether there was any “unauthorized access” to personally identifiable information in connection with the event. “As of now, CDK has not determined that any PII was impacted.” However, “the investigation is ongoing.”
Breach Reporting Commitment – Federal (FTC Safeguards Rule)
CDK reiterated their previous (July 1) announcement that it “has obtained permission from the FTC to file a consolidated notice on behalf of all of our affected dealer clients should we determine that the reporting requirement under the FTC Safeguards Rule has been triggered.” They added that “[a]s a result, individual dealers will not need to file notices with the FTC regarding CDK’s June 19 security incident unless you opt-out.” Further, CDK stated that on July 17, 2024, they "provided an initial notice to the FTC." The initial notice states that "CDK’s investigation into the security incident is ongoing. At present, the number of consumers potentially affected if any is unknown. The Company will provide a supplemental submission and/or follow up with Staff once more information is known." CDK promised to provide further information to the FTC on behalf of its dealers if needed.
Breach Reporting Commitment – State Data Breach Law Notices
CDK stated that it will "take the same approach as we did regarding the FTC Safeguards Rule notice" regarding their dealer customers’ potential notice obligations under state data breach notification law. CDK then promised that if their investigation leads them to determine that "any notifications under state breach notification laws (such as notices to state Attorneys General or consumers) are required," they will provide notifications on behalf of affected dealers unless they opt-out.
Lastly, CDK promised to update dealers and follow up on logistics for notification processes should any notice be required and provide further updates as they continue their investigation.
Stay tuned to www.ComplyAuto.com for more updates and information as it becomes available.