A Word About the CDK Mess
As all of you should have already received multiple communications from your dealer association and NADA, we will keep our comments on the CDK mess brief.
First, we strongly recommend that dealers continue to read communications from your dealer associations and NADA as they contain important information concerning legal duties you may have to report the breach of customer data. The FTC and, for most dealers, an agency within your state are required to receive notice of a breach of customer data under certain circumstances. Because CDK has not been able or willing to tell dealers whether there has been a customer data breach, and to what extent, NADA has reported that the FTC is not currently requiring dealers to submit any information with the FTC. While the FTC requirements apply to all dealers across the country, each state’s reporting requirement is unique and may have already been triggered. Consult your experienced dealer lawyer to determine your dealership’s obligations.
Second and lastly, the data-ransom situation with CDK is a prime example of why it is critically important that your state’s franchise law provide data sharing protections to the dealership and your customers. Despite requiring dealers to use certain third-party DMS system vendors, OEMs have historically objected to state franchise legislation which held the OEMs and their vendors responsible for protecting customer data and indemnifying dealers in the case of a breach. For those states still without such protections, the CDK mess is “Exhibit A” for why your Legislature should immediately pass such laws.