CATA News

On June 19, technology giant CDK Global fell victim to two consecutive cyber incidents that significantly impacted dealerships across North America for almost two weeks. The outage, which is now widely attributed to ransomware group BlackSuit, caused several major disruptions:

Operational Disruptions: The shutdown of CDK Global’s systems forced dealerships to revert to manual processes. Many have reported having to process transactions using pen and paper. This has caused enormous delays in sales and services.

Financial Impact: The outage has caused severe financial repercussions. Inability to access digital records and scheduling systems has delayed appointments. In the busy summer season, this has potentially cost dealerships almost a billion dollars.

Customer Inconvenience: These delays have led to negative customer experiences, which will likely have a far-reaching impact on some of the affected companies as they work to rebuild trust.

CDK Global announced on July 1 that they planned to return to normal operations. They have not confirmed how they were able to restore their systems, but it has been reported by CNN that evidence suggests they may have paid a ransom.

In light of increasing cyber incidents such as the CDK cyber-attack, Shartega IT has made cybersecurity our top priority. Shartega employs a number of advanced cybersecurity solutions to protect our clients, such as proactive threat monitoring and endpoint protection. It also regularly audits client IT infrastructure to identify possible areas for improvement. Its blogs educate the public on the importance of cybersecurity. Since the outage, Shartega has been working hard to add additional layers of security, preventing its clients from experiencing any further downtime or revenue loss.

Third parties such as MSPs play an important role in cybersecurity, but it is still necessary for companies to understand how they can secure their systems on their own and lower their chances of a cyber incident occurring. Here are some steps dealerships can take:

By following the above steps, dealerships can build a solid cybersecurity foundation that will help protect them from experiencing incidents similar to the CDK cyber-attack. This experience should serve as a warning to businesses that they must prioritize security in all daily operations, as the consequences of poor protection can be devastating.

The Illinois Worker Freedom of Speech Act (“Act”) has been signed into law. Despite the name, the Act has little to do with worker freedom of speech and is more focused on restricting employers' speech. Pursuant to the Act, Illinois employers are prohibited from terminating or disciplining employees (or threatening to do so) because they decline to attend or participate in an employer-sponsored meeting about political or religious matters or decline to receive communications about such a meeting.

The Act is effective January 1, 2025.

“Political Matters”

"Political matters" is defined broadly to cover elections, political parties, proposals to change legislation, regulations, or public policy, and the decision to join or support any political, civic, community, fraternal, or labor organization.

The inclusion of the term “labor organization” is notable since it would include, among other scenarios, employers that distribute union avoidance literature or hold meetings designed to discourage organizing efforts. Further, since “employee” is not limited in the Act to non-managerial employees, this could also mean that employers would not be able to require managers to attend meetings designed to train them in union avoidance. Employers who hold such training sessions should make clear in writing that attendance is strictly voluntary and that failure to attend will not result in adverse action. Nothing in the Act prohibits employers from conducting such meetings on a strictly voluntary basis.

There are a few exceptions to the Act, such as voluntary meetings that discuss religious or political matters; conveying information required by law; communicating information necessary for employees to perform their job duties; attending training intended to foster a civil and collaborative workplace or prevent workplace harassment or discrimination; or prohibiting political or religious organizations from requiring their employees to attend meetings discussing that organization’s political or religious beliefs.

Enforcement

Employees who believe the Act has been violated may bring a civil action to enforce the Act within one year after the date of the alleged violation. The court may award the prevailing employee relief including injunctive relief, reinstatement to the employee’s former position or an equivalent position, back pay, reestablishment of any employee benefits, including seniority, to which the employee would otherwise have been eligible if the violation had not occurred, and any other appropriate relief deemed necessary by the court to make the employee whole. The court “shall” also award a prevailing employee reasonable attorney’s fees and costs. Not surprisingly, the Act is silent as to awarding a prevailing employer any attorney’s fees or costs, which likely means the only option for employers to recover attorney’s fees will be if the employer can prove the litigation was frivolous under state or federal procedural rules.

In addition, the Illinois Department of Labor (IDOL) must inquire into any alleged violations that are brought to its attention by an “interested party” to institute actions for additional penalties that are called for in the Act. Section 25 of the Act states “In addition to the relief set forth in Section 20, an employer shall be assessed a civil penalty of $1,000 for each violation of Section 15, payable to the Department.” Although it is not clear, presumably the IDOL must institute a proceeding to impose the penalty, rather than a court having jurisdiction to impose a fine that becomes payable to the IDOL. In addition, the Act also calls for “interested parties” to bring claims to the IDOL.

An “interested party” means an organization that monitors or is attentive to compliance with public or worker safety laws, wage and hour requirements, or other statutory requirements. This is an exceptionally vague definition (and the term “organization” is not defined) and might be broadly interpreted to include nearly anyone who claims to care about worker rights. This could mean not only a union that seeks to organize at a particular company but could also include an attorney who represents employees in employment-related claims. Astonishingly, interested parties are given three years after the alleged conduct to file suit, which is tolled during the investigation period at the IDOL. Thus, this Act gives so called “interested parties” more rights and leeway than actual “aggrieved parties.” Even more astounding is the fact that these interested parties can not only recover the damages allowed for aggrieved parties, but also 10 percent of any statutory penalties assessed, plus any attorney’s fees and expenses in bringing the action. Thus, employers can likely expect a slew of litigation by plaintiff’s lawyers, union representatives, and others purporting to be “interested parties,” whether legitimate or not, and whether damages have been suffered or not. There are a few exceptions to the Act, such as voluntary meetings that discuss religious or political matters; conveying information required by law; communicating information necessary for employees to perform their job duties; attending training intended to foster a civil and collaborative workplace or prevent workplace harassment or discrimination; or prohibiting political or religious organizations from requiring their employees to attend meetings discussing that organization’s political or religious beliefs.

Key Takeaways

If there are no challenges to the Act prior to it taking effect on January 1, 2025, it will be important for employers to make it clear that any meetings that discuss political (including any union issues) or religious matters are voluntary. If employers want to discuss other matters that are not forbidden by the Act, it will be necessary for them to hold separate meetings or have distinct parts to the meeting where they allow employees to leave when touching on any political (including union) or religious matters. The alternative to doing the above would be a risk to employers, though that risk may be something an employer chooses to take in order to challenge the validity of the law.

The Chicago Automobile Trade Association (CATA), the Chicago-area’s new-car dealer association, once again partnered with the USO to host the 11th annual BBQ for the Troops fundraisers. To date, 60 local new-car dealerships rallied their communities to bring in $81,267 for the USO. The barbecue-themed events, held last month, featured everything from patriotic ceremonies, classic car shows, live music, games for kids of all ages and, of course, barbecues. Additionally, participating dealers donated to the cause for every test drive that took place in the month of July.

“Supporting our local communities and those in need is right within the wheelhouse of our local car dealers and what better way to make an impact than rallying together for this great cause,” said CATA Chairman Jason Roberts. “We are thrilled to once again present this check to the USO who do such crucial work supporting our service members and their families.”

This year’s fundraiser brought the grand total of the more than decade-long program to more than $1.2 million, supporting the USO initiatives with nearly 700 fundraisers over the years. These funds enable the USO to lend support to more than 300,000 service members and their families annually.

“We are so grateful for the support we receive from our partners at the Chicago Automobile Trade Association and the local new-car dealerships,” said USO Executive Director in Illinois, Christopher Schmidt. “This grassroots fundraiser has now raised more than $1.2 million in crucial funds that support our service members and their families. On behalf of the USO and all those who serve our nation, we thank all the participating dealers and their communities for their generous support over the last 11 years.”

The program culminated this week where CATA board members presented a check to the USO for a total of $81,267.48.

“I would be remiss if I didn’t mention the incredible support that we received from our media partners surrounding this fundraiser,” said Roberts. “Many thanks are due to all our partners in TV, radio and outdoor advertising media who helped us promote this worthwhile program. A special thanks to ABC 7 Chicago for producing the TV spot that aired throughout the market.”

Dealers that accepted any Visa- or Mastercard-branded credit cards at any time from Jan 25, 2019 to Jan. 1, 2024, may be eligible to recover money from excessive interchange fees through a class-action settlement. Dealers can file now through Aug. 30, 2024.

Summary of Settlement

Settlement FAQ

As we’ve reported, CDK obtained permission from the FTC to file a consolidated notice on behalf of all affected dealer clients, should it be determined that the reporting requirement under the FTC Safeguards Rule has been triggered. While this was great news on a federal level, there was still question whether dealers in Illinois – and in other states – would also need to file a notice.

Fortunately, yesterday, CDK announced that they will agree to handle any applicable breach notification requirements also at the state level on behalf of affected dealers (if required). This communication was made to dealers via email and to Automotive Trade Association Executives in a letter available HERE.

CDK is still investigating whether there was any unauthorized access to any personally identifiable information (“PII”). CDK has been actively investigating the issue with the assistance of leading third-party experts. As of now, CDK has not determined that any PII was impacted.

The good news for dealers is that should CDK realize that any PII was impacted, CDK will be making the required notifications for all affected dealers.

As always, the CATA recommends that every dealer consult with his or her legal counsel for further advice. CATA will continue to provide updates as they become available.

Dealerships already spooked by the CDK Global cyberattacks face new cyber threat risks stemming from the global CrowdStrike outage on July 19.

CrowdStrike is a cybersecurity provider whose problematic software update led to a crash of Microsoft Windows systems globally. Now, criminals are trying to profit off the incident through bogus emails encouraging dealers to "fix" their systems.

A July 31 warning issued by cybersecurity consulting firm Helion Technologies cautioned that cybercriminals are pursuing what's known as a social engineering phishing attack. They're using a fake Internet domain that appears to be CrowdStrike, and in an email are encouraging dealerships to click a link for an "immediate patch.”

Helion's warning included a screenshot of another phishing email claiming to be from CrowdStrike. It encourages customers to update their Windows servers using an attached download and software tool "to avoid disruptions."

The email also recommends "organizations ensure they're communicating with CrowdStrike representatives through official channels," and warns in bold that "the consequences of any failure to update the system and disruption will be the responsibility of the organization's IT manager."

Read more in Automotive News.

Several June 2024 new vehicle dealership financial metrics/trends are below:

Information provided by CATA Allied Member Woodward & Associates. For more information contact Carl Woodward at (309) 830-4747 or carlswoodward@cpaauto.com.

The CATA is asking members to nominate candidates for the TIME Dealer of the Year.

CRITERIA

In addition, the following rules apply:

If a nominee is not actively managing the dealership at the time of nomination, they can be named their state’s nominee; however, in order to be considered as a finalist or to be named the TIME Dealer of the Year, active participation at the time of nomination is required.

Please send nominations before Aug. 5 to Mark Bilek at mbilek@drivechicago.com.

[From NADA] On July 24, the House of Representatives voted to pass the House Interior, Environment and Related Agencies appropriations bill for Fiscal Year 2025, which includes language (Secs. 474 and 475) that would temporarily stop the EPA from spending funds to implement, administer or enforce its de facto EV mandates on light-duty, medium-duty and heavy-duty vehicles. This bill passed the House by a vote of 210-205.

On July 24, NADA President and CEO Mike Stanton and ATD President Laura Perrotta sent a letter to House members in support of this bill.

NADA and ATD are highly skeptical that EVs will be adopted anywhere near the levels required to comply with the EPA’s rules. While dealers have supported the move to electrification with billions of dollars in investments and the purchase of EV inventory, the U.S. lacks an adequate national consumer and commercial vehicle charging network, which makes the rapid adoption of EVs required by the EPA impractical.

The fate of the EV riders in the House funding legislation is uncertain, as the spending bill will need to be negotiated with the Senate, likely in the lame duck session of Congress. NADA will continue efforts to temporarily stop or disapprove of EPA’s de facto EV mandates.

The 28th Annual Better Business Bureau (BBB) Torch Awards for Ethics applications are now open! These prestigious awards celebrate businesses that exemplify integrity, transparency, and outstanding ethical practices. As champions of trust and accountability in the marketplace, we're committed to recognizing those who lead by example.

Last year, CATA Board Member Emir Abinion (Fox Valley Buick GMC, Fox Valley VW and Fox Valley VW in Crystal Lake) was selected as Touchbearer of the Year by the BBB. Do you know of a dealership that embodies the principles of integrity and accountability in every aspect of their operations? Now is the time to shine a spotlight on their exemplary behavior. The deadline is September 11.

It only takes 60 seconds to nominate someone or your company for an award that will last the lifetime of your business. Click here to nominate a business.