CATA News

In the wake of the recent CDK Global cyber breach, the automotive industry is facing significant challenges and uncertainties. On June 19th, CDK confirmed a "cyber incident" that led to a series of rapid and consequential actions, including shutting down various systems that are critical to dealership operations. This incident has escalated over weeks, revealing that Eastern European hackers allegedly demanded a multimillion-dollar ransom, and culminating in reports that CDK may have paid approximately $25 million to end the outage.

It is crucial for dealerships to stay informed and take immediate steps to protect their data. This article provides a detailed timeline of the events, an overview of the FTC Safeguards Rule, and KPA’s recommendations for navigating this crisis and enhancing your dealership's data security.

CDK Cyber Incident Timeline:

Reporting Obligations under the FTC Safeguards Rule

The Federal Trade Commission (FTC) Safeguards Rule provides a framework for dealerships and other financial institutions to protect customer information by requiring them to have certain measures in place to ensure the security and confidentiality of customer records and information.

On October 27, 2023, the Federal Trade Commission (FTC) announced a revision to the Safeguards Rule, requiring non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization.  This notification requirement went into effect on May 13, 2024, and is in addition to any state notification requirements.

Are You Required to Report this Incident to the FTC or Others?

Dealership do not know yet since CDK has not revealed exactly what has happened.  While it is very likely that the hackers accessed and acquired unencrypted customer information, we do not know the extent of what customer information was accessed.  In other words, dealerships have no way of knowing whether their customers’ information was compromised during the CDK Cyber Incident.

While CDK has worked an agreement with the FTC that would allow CDK to report on behalf of any dealership if that dealership’s customer information was compromised, you should still gather more information before deciding to participate or opting-out.  What will CDK’s message to the FTC state?  Will the dealership have any obligations to follow-up on requests from the FTC?  Will CDK indemnify the dealers for any mistakes or errors?

Additionally, states have their own notification laws, and the agreement between CDK and FTC do not address those state-level requirements.

Regardless, if you have not already done so, you should notify your insurance company and put them on notice of this incident, even if not making a claim, to avoid arguments by the carrier that a notification delays caused prejudice to the carrier.  The carrier will also be helpful in the notification process, if necessary.

Nevertheless, stay informed because date breach notification time-frames are very narrow.

Tips for Data Security at Your Dealership

Ensuring the security of your dealership's data is more crucial than ever. Evaluate how your organization protects user data and consider steps to enhance its security. Here are some essential tips to keep your dealership's data secure:

By implementing these tips, you can strengthen your dealership’s data security and build trust with your clients.

Ensure You Are Safeguard Compliant

Need a partner in Complete Compliance? KPA is here for you! KPA Privacy & Safeguards software offers a comprehensive solution specifically designed for automotive dealerships to ensure complete compliance, protect customer data, and streamline operations with a guided 10-step approach.

Our robust 10-step compliance framework includes customized legal policies, technical safeguards, and regular assessments to mitigate risks and ensure compliance. We’re your partners in true, complete compliance. Please reach out to us at info@kpa.io, by visiting kpa.io/automotive, or by giving us a call at 866-856-1735.

It’s almost time to fire up the grills for the 11th Annual BBQ for the Troops events! More than 60 new-car dealers across Chicagoland and Northwest Indiana will be firing up the grills next Saturday, July 13 to raise money for the USO. These funds go to support our service members and their families – many of them right here in our backyards. While the BBQ events are happening next week, fundraising will happen all month long. You can find a list of participating dealers along with a link to donate on the CATA website: https://www.cata.info/2024-BBQ-for-the-Troops.

Thank you to our media partners for their ongoing support in amplifying the reach of this program. Every TV interview, radio commercial, print article, highway billboard or social media share helps generate awareness of the BBQ for the Troops fundraisers. Last week we hosted participating dealers and media partners for the BBQ for the Troops media kickoff event which garnered significant media coverage from all five local, major broadcast networks. If you haven't seen the coverage on TV, take a look at a few of the media clips from this week: ABC 7 Chicago Interview, WGN Chicago Feature, FOX 32 Chicago Interview.

President Biden has increased the US tariff on Chinese-made EVs from 25 percent to 100 percent effective Aug. 1, 2024. According to a recent Crain’s Chicago Business article, “With new 100 percent tariffs the Chinese car business here will sink to zero.”

This upgraded tariff has already had a knock-on effect in the US market. Volvo, for example has delayed the introduction of its Chinese-made EX30 electric crossover as the automaker shifts US deliveries of that vehicle from China to Europe. Though the automaker has not specifically called out the tariff as the reason, it’s likely a contributing factor.

It’s also unclear what affect the tariff will have on currently imported Chinese-made vehicles that are available in the US market. For example, Buick Envision, Lincoln Nautilus and Volvo S90 are built in China and imported to the US. However, these vehicles are not EVs and therefore, would not be subject to the increased tariff. Polestar vehicles are EVs and made in China, so they would be subject to the increased tariff.

For more information on the impact of the new tariff, read the entire Crain’s Chicago Business article HERE. (login required)

The Federal Trade Commission has taken action against online used car dealer Vroom for misrepresenting that it thoroughly examined all vehicles before listing them for sale and failing to obtain consumers’ consent to shipment delays or provide prompt refunds when cars weren’t delivered in the time Vroom promised. Texas-based Vroom has agreed to a proposed settlement that would require the company to pay $1 million to refund consumers harmed by the company’s conduct and prohibit the company from further misleading consumers and failing to provide required disclosures.

“Vroom promised the fast deliveries of thoroughly inspected cars, but sped right past compliance,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Online car dealers and other Internet sellers must provide required disclosures just like any brick-and-mortar businesses that comply with the law.”

In its complaint against Vroom, the FTC alleges that the company failed to follow the Used Car Rule, the Pre-Sale Availability Rule and the Mail, Internet, and Telephone Order Rule (MITOR). Since 2019, Vroom has sold more than 170,000 vehicles to consumers through its website. In its advertising, Vroom said that its cars underwent “multiple inspections” to ensure they were in good condition in an effort to alleviate consumers’ concerns about buying a used car without being able to inspect it before purchasing. Vroom’s website even listed 184 points of inspection that were checked on every car they sold.

Consumer complaints about the company told a different story, according to the FTC’s complaint. Numerous consumers complained about the condition of the cars they received from Vroom, with everything from loud grinding noises, bald tires, and worn brakes being reported. The complaint also notes that Vroom told consumers that cars purchased from the company would be delivered in 14 days or less in its advertising and on its website. Despite making this clear statement, when it couldn’t meet that delivery timeline, Vroom regularly failed to give consumers the chance to either consent to a longer delivery timeline or cancel their purchase and receive a prompt refund, as required by MITOR. The complaint cites instances where consumers have had to wait as much as three months or longer before their car arrived.

As a used car dealer, Vroom also is required to follow the FTC’s Used Car Rule, which includes  a requirement that the dealer properly complete and display a “Buyers Guide” on each used car it offers for sale. The Buyers Guide gives consumers important information about whether the used car comes with a warranty or it is being sold “as is.”

If the car is sold with a dealer’s warranty, the Used Car Rule requires the Buyers Guide to list its basic terms and conditions, including the duration of coverage, the percentage of total repair costs to be paid by the dealer, and the exact systems covered by the warranty. The complaint alleges that Vroom failed to provide the Buyers Guide until late in the purchase process, and that the Guides were often missing required information.

Finally, the complaint alleges that Vroom violated the Pre-Sale Availability Rule because it did not post the terms of its warranty on its website in close proximity to the warranted used vehicle. Nor did Vroom inform customers how they could obtain the warranty’s terms prior to the receipt of the sale documents.

Under the terms of the proposed settlement, Vroom will be required to pay $1 million to the FTC to be used to provide refunds to consumers who were harmed by the company’s unlawful practices.

The settlement also prohibits the company from making misleading claims to consumers about inspections or shipping, and requires Vroom to document all claims about promises it makes about shipping times to consumers, as well as requiring Vroom to follow the requirements of MITOR, the Used Car Rule, and Pre-Sale Availability Rule.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 5-0. The FTC filed the complaint and final order in the U.S. District Court for the Southern District of Texas.

The cyberattack on CDK has highlighted the growing threat of cyberattacks on the automotive industry and the urgent need for enhanced cybersecurity measures. If you have been impacted by the breach or are concerned about your own cybersecurity initiatives, then this webinar is for you. Join KPA and AssuredPartners as Adam Crowell, VP of Legal and Business Development at KPA, and Chris Schrementi, VP of Dealer Services at AssuredPartners, discuss:

Click HERE to watch the Webinar!

According to a recent iSeeCars study, used electric vehicle prices fell below used gasoline vehicle prices in February and continue to fall faster than prices for traditional and hybrid cars. EV prices dropped below average used gas car prices by $265 in February, widening to $2,657 in May. In June 2023, used EV values were more than $8,000 (25 percent) higher than the average used gas car price; last month they were $2,657 (over 8 percent) lower than the average used gas car price. Over the past year average used gas car values have dropped between 3 and 7 percent year-over-year, while used EV values have dropped between 30 and 39 percent. Used electric vehicle prices fell below average gas car prices in February and EVs have continued to lose value faster than the average used gas car, according to the latest study.

The study analyzed over 2.2 million 1- to 5-year-old used cars sold in May 2023 and 2024 and found that the average used EV price is down 29.5 percent year-over-year versus 6.1 percent for the average used gas car price. In May 2024, the average used electric vehicle was priced at $28,767, or 8.3 percent below the average gas car at $31,424. These prices show a major turnaround from a year ago, when the average used EV cost $40,783 and the average used gas car cost $33,469.

“There’s no denying the crash in used electric vehicle values over the past year,” said Karl Brauer, executive analyst at iSeeCars. “We’ve watched EVs prices fall between 30 and 40 percent since June of last year, while the average gas car’s price has dropped by just 3 to 7 percent in that same timeframe.”

For more information, read the study HERE.

The Illinois Personal Information Protection Act, 815 ILCS 530/1 provides that any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge if there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. Furthermore the act provides that any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

If the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information, substitute notice (as defined in the Act) may be provided.

“Personal information” is defined as a person’s name plus one of the following: social security number; driver’s license number or state identification card number; account number or credit or debit card number; medical information; health insurance information; or unique biometric data. “Personal information” also includes a user name or email address in combination with a password or security question and answer that would permit access to an online account.

For more information, visit the Illinois Attorney General Data Breech Webpage: https://illinoisattorneygeneral.gov/Consumer-Protection/For-Businesses/Data-Breach/.

Wickstrom joins incumbents Crane, Marks and Roberts on the CATA board.

Jared Wickstrom (Dick Wickstrom Chevrolet, Roselle) has been elected to the Chicago Automobile Trade Association (CATA) board of directors. Incumbents John Crane (Glenview Luxury Imports; Hawk Auto Group [Cadillac, Chevrolet, Chrysler, Dodge, Ford, Jeep, Mazda, Ram, Subaru, Volkswagen]), Fred Marks (Classic Kia; Classic Toyota, Waukegan), and Jason Roberts (Advantage Acura of Naperville; Advantage Chevrolet of Bolingbrook; Advantage Chevrolet of Bridgeview; Advantage Chevrolet of Hodgkins; Advantage Toyota of River Oaks) return for another three-year term.

Wickstrom, a native of Lisle, Illinois, succeeds his father Casey and cousins Colin and Richard on the CATA board of directors. He is also currently a member of the Chicagoland Chevrolet Dealers LMA board.

“I would like to thank my peers for having the trust and confidence in me to elect me to the CATA board of directors,” said Wickstrom. “It is truly an honor, and I am thrilled to join such a passionate group of people to advocate for our collective interests, promote integrity, and help navigate the challenges that will continue to come our way. I look forward to serving.”

The CATA also elected a new executive board: Jason Roberts is the 2024-25 CATA chairman; Ryan Kelly (Kelly Nissan, Oak Lawn) is vice chairman; and Steve Phillipos (Chevrolet of Homewood; Ford of Homewood) is treasurer/secretary. Former CATA Chairwoman Kelly Webb Roberts (Genesis of Highland [Indiana]; Webb Chevrolet, Oak Lawn; Webb Chevrolet of Plainfield; Webb Hyundai, Highland [Indiana]; and Webb Hyundai, Merrillville [Indiana]) becomes 2025 Chicago Auto Show chairwoman.

“On behalf of our association and its members we are excited to welcome Jared Wickstrom to the CATA board,” said Jennifer Morand, president of the CATA. “Jared comes to us with a long and rich history in the industry that will certainly prove beneficial for working on behalf of all Chicagoland dealers.”

“I also congratulate John, Fred and Jason on their reelection to the CATA board,” said Morand. “We’re delighted they will continue to serve our board, each bringing immense value to the future of the association.”

Election results were announced June 11 at the association’s annual meeting and golf outing at Cog Hill Golf & Country Club in Lemont. Directors can serve up to three terms. Voting was open to all CATA dealer members whose association membership is in good standing.

In addition to the four directors elected this month and the executive committee, the CATA board includes Emir Abinion, Jerry Haggerty, Dan Heller, Dan Marquardt and JC Phelan.

It is with a heavy heart that we share former CATA employee and Drive Chicago Radio Host Paul Brian passed away in his home last week.

Paul Brian served as Director of Communications for the Chicago Automobile Trade Association and Chicago Auto Show from 1994 to 2012 and hosted the "Drive Chicago" radio show on WLS-AM Radio for 20 years. He was an honored juror for the North American Car and Truck of the Year Awards (NACTOY), served as president of the Midwest Automotive Media Association (MAMA), received two Emmy awards, and was inducted into the Legends of Motorsport Guild’s Hall of Fame.

Paul Brian was a proud veteran of the U.S. Army, serving as the Director of the Armed Forces Radio and Television network while stationed in the Panama Canal Zone during Viet Nam in the early 1970s. His love and devotion to the Army lived long after his service to our country. He spent decades serving veterans through philanthropic work and served as a founding member of the Allen J. Lynch Medal of Honor Board of Directors.

In lieu of flowers, his family is asking for donations be given to the Allen J. Lynch Medal of Honor Veterans Foundation in his name as it was another of his passions, to help other soldiers who sacrificed so much.

(Allen J. Lynch Medal of Honor Veterans Foundation provides grants to those who are engaged in providing educational programs, PTSD and direct assistance to veterans. Allen J Lynch Medal of Honor Veterans Foundation (501(3) organization) 6615 Grand Ave Ste B PMB 415, Gurnee, IL, 60031.)