Resources List in the Wake of CDK Global Cyber Incident (as of 7/3)

On Wednesday, June 19, CDK Global reported that it had experienced a “cyber incident” that caused it to shut down all systems.

As our industry grapples with the ongoing CDK Global cyber incident, we’re bringing you the latest updates and essential resources. Below, you’ll find guidance on phishing scam prevention, federal notification requirements, and Florida sales tax reporting. We’ve also included valuable resources from our partners, free trial offers from alternative DMS vendors, and insights on FADA’s call for accountability and the economic impact of cyber attacks. Stay informed and protected as we navigate these challenging times together.

FADA is committed to supporting you through this time. If you have any questions or need further assistance, please contact [email protected].

The Federal Notification Requirement and Other Important Guidance from NADA

Dealers should be aware that the FTC requires notification to the FTC (not to customers) of the acquisition of unencrypted customer information without authorization involving at least 500 consumers. This must occur “as soon as possible and no later than 30 days after discovery of the event.” While dealers should consult with their legal counsel regarding compliance with this requirement, given the scale of this event NADA staff has been in communication with FTC staff about when notification must be provided to the FTC. At this time, NADA believes that dealers do not need to provide such a notification imminently, and NADA will provide further information as more information is known about this incident. As this could change, NADA has urged CDK to notify dealers promptly if it learns that such information has been compromised.

Read the full update here.

Sales Tax Reports Guidance

FADA President Ted Smith contacted the Florida Department of Revenue this week to discuss a sales tax grace period given the events at CDK and their impact on our dealers. The Department responded yesterday, and while an across-the-board grace period is not possible, they are sensitive to this issue. They have instructed that the reporting will be handled on a case-by-case basis.

It appears that the Department has limited ability to grant a delay in payments as requested, likely due to statutory requirements in Florida. However, they have notified their individual offices to work with dealers who are impacted.

Given this information, it would be advisable for dealers to pursue some form of anticipated payments based on what can be aggregated manually. Hopefully, the Department will allow for an adjustment in the amount due for July.

FADA will continue to pursue other avenues to assist dealers during this challenging time.

Outage from CDK Cyberattacks Could Cost Dealers $1 Billion, Study Says

The ongoing dealership management system outages following cyberattacks on CDK Global could cost retailers nearly $1 billion if it lasts until the July 4 holiday weekend, according to estimates from the Michigan-based Anderson Economic Group. The group reached its estimated figures by calculating losses from categories including vehicle sales, growing floorplan interest and IT, staffing and administrative costs. The firm put the losses for impacted dealerships at $284 million for the first four days. Read the full article here.

Message from FLHSMV Regarding CVR

CVR (Computerized Vehicle Registration), an EFS/ETR provider in Florida, is currently unable to process transactions. Consequently, dealerships using CVR’s EFS/ETR platform have been temporarily taken offline. However, FLHSMV systems remain unaffected.

We anticipate impacted dealers will pivot to submitting title and registration transactions over the counter. Impacted dealers will also need to utilize preprinted temp tags until CVR restores its systems.

There are currently over 100,000 preprinted temp tags in tag offices and dealerships and 16,000 in inventory at FLHSMV headquarters. FLHSMV ordered over 50,000 additional preprinted tags from our vendor yesterday.

Until CVR recovers, we have instructed tag office managers to provide a sufficient supply of preprinted temp tags to impacted dealers. Dealers should follow Procedure RS-31 for the issuance of offline preprinted temp tags. RS-31 requires that the issuance of preprinted temporary tags be reported to FLHSMV within one business day. For dealers impacted by the CVR cyber incident, this reporting requirement is extended from one to two business days.

Currently, there are 1,847 transactions from CVR dealers in EFS pending submission to a tag office. If you are a dealership using the CVR platform who wishes to cancel a transaction that is pending in EFS, please contact the following FLHSMV personnel:

For dealers north of Tampa, please contact Lisa McNeal.

[email protected]

352-512-6794 (office) or 352-512-8646 (cell)

For dealers in Tampa and south of Tampa, please contact Eric Ladd:

[email protected]

813-302-5032 (office) or 813-285-2152 (cell)

Lastly, through July 5, 2024, tax collectors and license plate agents have been authorized, if necessary, to administratively issue a no-cost temporary tag to customers who purchased vehicles from a Florida dealership directly impacted by the CVR cyber incident.

Legal and Regulatory Considerations from FADA Endorsed Partner, ComplyAuto

Preparation is key. In addition to reviewing and updating contracts, dealers should work now to ensure that their incident response plan is updated and effective. Dealers should also consider establishing a business continuity plan that could be put into place in the event of a future cyber incident to ensure the ability to continue operations in as uninterrupted a manner as possible. Dealers should also take the time to double down on their efforts to fully comply with the Safeguards Rule, including oversight of service providers.

While dealers often cannot control what happens at a vendor, they can (and are required to) conduct due diligence in selecting vendors, ensure that their contracts are compliant and that they are taking steps to ensure that vendors are taking required cybersecurity steps under the Safeguards Rule as well as under many state laws.

It’s important to note that while having a plan is crucial, its effectiveness lies in regular testing, updating, and employee familiarity with the procedures. Auto dealers should conduct periodic tabletop exercises or simulations to ensure their incident response and business continuity plans remain practical and effective.

Right now, dealers should take steps to mitigate the effects of the incident:

Remediate Vulnerabilities: Perform penetration testing, and regularly update and patch systems. CISA created a reference document with helpful tips.
User Training: Train employees to recognize and report phishing.
Authentication: Enforce MFA and use strong, unique passwords.
Network Security: Segment networks and disable unused ports.
Backups: Maintain encrypted, offline backups that regularly test restoration.
Detection and Response: Use endpoint detection and response tools and update antivirus software.

Reach out to CDK and request information on the impact to your dealership and its data. Dealers whose operations are impacted by the CDK systems being down might consider exploring whether they have business interruption coverage under any of their insurance policies that could provide relief for expenses and losses arising from the interruption in business resulting from the outage.

ComplyAuto’s Brad Miller addresses questions received from dealers about their potential obligations if it is determined that customer data has been breached in this article.

View the ComplyAuto CDK Incident Resource Center here.

Points from FADA Partner, Gillrie Consulting

See here.

Tekion Free Trial

Tekion Digital Processing has launched a 30-day free trial for CDK dealers to process deals.

Notes from NADA

NADA is in communication with CDK’s legal office and is seeking additional information about the incident, including whether there has been any unauthorized acquisition of unencrypted customer information.

As part of this process, dealers should review their compliance with their full range of responsibilities under the recently-amended FTC Safeguards Rule.

There are several resources to help address data security and regulatory compliance, including:

NADA Safeguards Rule Driven Guide
FTC Cybersecurity Basics

Emergency Forms Kit from FADA Endorsed Partner, Reynolds & Reynolds

FADA Endorsed Partner, Reynolds & Reynolds has created an Emergency Forms Kit for you to access all forms needed to conduct business. You can access the Kit in two ways:

  1. Call the Emergency Forms Hotline at 1-800-344-0996. An associate will assist you in processing your request.
  2. Access REYSOURCE and place an order for your forms. You may have to set up an account if you do not have one.

Top Tips from ASOTU

ASOTU (Automotive State of the Union) hosted a livestream with industry leaders discussing how to keep teams focused during outages. Here are their top tips for surviving outages:

Back to Basics: Keep paper backups of essential forms and ensure your team can handle tasks manually.
Plan Ahead: Have a detailed playbook and conduct regular training drills.
Communication: Inform customers about the outage and use alternative contact methods.
Tech Solutions: Utilize mobile hotspots and alternative digital tools.
Data Security: Keep physical copies safe and regularly back up digital data.
Employee Support: Guarantee pay during outages and use downtime for training.
Industry Collaboration: Share resources with other dealers and seek external support.
Parts and Service: Track inventory manually and train staff on handwriting orders.
Sales Strategies: Use manual deal jackets and continue remote deliveries.
Long-Term Prep: Review insurance coverage and invest in redundant systems.