CATA News

[From NADA] In the aftermath of the CDK cyber incident, the Internal Revenue Service (IRS) has issued a reminder to auto dealers to be on the lookout for any new phishing scam attempts.   

Fraudsters and identity thieves attempt to trick the recipient into clicking a suspicious link, filling out personal and financial information or downloading a malware file onto their computer. Scammers are relentless in their attempts to obtain sensitive financial and personal information, and impersonating the IRS remains a favorite tactic. The IRS urges auto dealerships to be extra cautious about unsolicited messages and avoid clicking any links in an unsolicited email or text if they are uncertain.

Businesses should remain alert for targeted email and text scams aimed to disrupt their computer systems. These messages arrive in the form of unsolicited texts or emails to lure unsuspecting victims to provide valuable information that can lead to identity theft or malicious malware installed on computer systems.

In some cases, phishing emails appear to come from a legitimate sender or organization that has had their email account credentials stolen. Setting up two-factor or multi-factor authentication with their email provider will reduce the risk of individuals having their email account compromised.

Individuals and businesses should verify the identity of the sender by using another communication method, for instance, calling a number they independently know to be accurate, not the number provided in the email or text.

What to do:

Read the full release of the IRS’ reminder to auto dealers about protection against scamming.

Given the recent spike in daily temperatures, the CATA wanted to make dealers aware of a proposed U.S. Occupational Safety and Health Administration (OSHA) proposed national heat illness and injury prevention standard.

The proposed rule would require employers to develop a heat injury and illness prevention plan (HIIPP) with input from nonmanagerial employees that contains site-specific information to control heat hazards. The HIIPP must be in writing for employers with more than ten employees and must be made available to employees in a language that each employee, supervisor, and heat safety coordinator understands. Employers will need to re-evaluate the plan whenever a recordable heat-related illness or injury occurs and at least annually.

 The fundamental elements of the proposed rule, which include components addressing rest, water, shade, and acclimatization, are nothing surprising as they are abatement strategies historically recommended by OSHA in prior guidance. However, the proposed standard includes an initial heat trigger with a heat index of 80 degrees Fahrenheit, at which employers must provide drinking water that is suitably cool, break areas with cooling measures, and implement an acclimatization protocol for new or returning employees. The high heat trigger of 90 degrees requires employers to provide employees with a minimum 15-minute paid rest break at least every two hours and a hazard alert reminding employees to drink water and take breaks, among other things.

The proposed standard also requires significant recordkeeping and other administrative obligations. These include requiring employers to:

OSHA will accept comments on its proposal for 120 days following publication in the Federal Register.

Notwithstanding the public comment period, there is no doubt that the proposed rule will face legal challenges particularly in light of the recent U.S. Supreme Court case eliminating deference to federal agencies.

The FCC announced it will vote on final rules that will improve transportation safety and mobility by integrating advanced communications technologies into vehicles and infrastructure. The rules would allow in-vehicle and roadside units to operate cellular-vehicle-to-everything (C-V2X) technology in the 5.9 GHz spectrum dedicated to Intelligent Transportation Systems (ITS).

 “The evolution of the 5.9 GHz band advances new car safety technologies in an efficient and effective way while also growing our wireless economy,” said Chairwoman Rosenworcel. “This is sound spectrum management at work.”

 C-V2X technology provides direct communications between vehicles, roadside infrastructure, and other road users such as cyclists, pedestrians, and road workers to facilitate, among other things, non-line-of-sight awareness, notice of changing driving conditions, and automated driving.

FCC Chairwoman Jessica Rosenworcel worked for nearly a decade in a bipartisan push to reconsider the best use of the 5.9 GHz band that had long been designated for automobile safety technology but had made little progress toward deployment. These efforts resulted in new rules for the automotive industry that move away from dated technology to the more advanced C-V2X automobile safety technology while also freeing up additional spectrum for unlicensed use, such as Wi-Fi.

The Report and Order circulated by the Chairwoman would, if adopted, promote efficient use of 30 megahertz of spectrum dedicated for ITS in the 5.9 GHz band as well as provide substantial safety benefits to the American public. It would codify C-V2X technical parameters in the Commission’s rules, including power and emission limits and message prioritization. The rules would provide flexibility for the auto industry to use three 10-megahertz channels either separately, in combination as a 20 megahertz channel or as a single 30-megahertz channel. The rules would also establish prioritization of safety-of-life communications. The rules would not require licensees already operating under C-V2X waivers to make changes to their currently deployed systems, and would provide a two-year timeline for sunsetting the use of existing Dedicated Short Range Communications (DSRC)-based technology.

 To permit the full benefits of connected vehicle technology to flourish, the rules would also optionally permit devices installed in vehicles to use geofencing techniques to allow C-V2X equipment to transmit at a higher power level when operating outside of protection zones around federal radiolocation sites.

 All of the Dynatron solutions are a combination of our technology and our industry expert coaches. With their support, we turn plans into action plans, and action plans into results. Managing your Service Department is hard enough. You don’t need another vendor; you need a partner.

Guaranteed and unmatched expertise, Dynatron’s results drive customer ROI.

Learn more.

In the wake of the recent CDK Global cyber breach, the automotive industry is facing significant challenges and uncertainties. On June 19th, CDK confirmed a "cyber incident" that led to a series of rapid and consequential actions, including shutting down various systems that are critical to dealership operations. This incident has escalated over weeks, revealing that Eastern European hackers allegedly demanded a multimillion-dollar ransom, and culminating in reports that CDK may have paid approximately $25 million to end the outage.

It is crucial for dealerships to stay informed and take immediate steps to protect their data. This article provides a detailed timeline of the events, an overview of the FTC Safeguards Rule, and KPA’s recommendations for navigating this crisis and enhancing your dealership's data security.

CDK Cyber Incident Timeline:

Reporting Obligations under the FTC Safeguards Rule

The Federal Trade Commission (FTC) Safeguards Rule provides a framework for dealerships and other financial institutions to protect customer information by requiring them to have certain measures in place to ensure the security and confidentiality of customer records and information.

On October 27, 2023, the Federal Trade Commission (FTC) announced a revision to the Safeguards Rule, requiring non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization.  This notification requirement went into effect on May 13, 2024, and is in addition to any state notification requirements.

Are You Required to Report this Incident to the FTC or Others?

Dealership do not know yet since CDK has not revealed exactly what has happened.  While it is very likely that the hackers accessed and acquired unencrypted customer information, we do not know the extent of what customer information was accessed.  In other words, dealerships have no way of knowing whether their customers’ information was compromised during the CDK Cyber Incident.

While CDK has worked an agreement with the FTC that would allow CDK to report on behalf of any dealership if that dealership’s customer information was compromised, you should still gather more information before deciding to participate or opting-out.  What will CDK’s message to the FTC state?  Will the dealership have any obligations to follow-up on requests from the FTC?  Will CDK indemnify the dealers for any mistakes or errors?

Additionally, states have their own notification laws, and the agreement between CDK and FTC do not address those state-level requirements.

Regardless, if you have not already done so, you should notify your insurance company and put them on notice of this incident, even if not making a claim, to avoid arguments by the carrier that a notification delays caused prejudice to the carrier.  The carrier will also be helpful in the notification process, if necessary.

Nevertheless, stay informed because date breach notification time-frames are very narrow.

Tips for Data Security at Your Dealership

Ensuring the security of your dealership's data is more crucial than ever. Evaluate how your organization protects user data and consider steps to enhance its security. Here are some essential tips to keep your dealership's data secure:

By implementing these tips, you can strengthen your dealership’s data security and build trust with your clients.

Ensure You Are Safeguard Compliant

Need a partner in Complete Compliance? KPA is here for you! KPA Privacy & Safeguards software offers a comprehensive solution specifically designed for automotive dealerships to ensure complete compliance, protect customer data, and streamline operations with a guided 10-step approach.

Our robust 10-step compliance framework includes customized legal policies, technical safeguards, and regular assessments to mitigate risks and ensure compliance. We’re your partners in true, complete compliance. Please reach out to us at info@kpa.io, by visiting kpa.io/automotive, or by giving us a call at 866-856-1735.

It’s almost time to fire up the grills for the 11th Annual BBQ for the Troops events! More than 60 new-car dealers across Chicagoland and Northwest Indiana will be firing up the grills next Saturday, July 13 to raise money for the USO. These funds go to support our service members and their families – many of them right here in our backyards. While the BBQ events are happening next week, fundraising will happen all month long. You can find a list of participating dealers along with a link to donate on the CATA website: https://www.cata.info/2024-BBQ-for-the-Troops.

Thank you to our media partners for their ongoing support in amplifying the reach of this program. Every TV interview, radio commercial, print article, highway billboard or social media share helps generate awareness of the BBQ for the Troops fundraisers. Last week we hosted participating dealers and media partners for the BBQ for the Troops media kickoff event which garnered significant media coverage from all five local, major broadcast networks. If you haven't seen the coverage on TV, take a look at a few of the media clips from this week: ABC 7 Chicago Interview, WGN Chicago Feature, FOX 32 Chicago Interview.

President Biden has increased the US tariff on Chinese-made EVs from 25 percent to 100 percent effective Aug. 1, 2024. According to a recent Crain’s Chicago Business article, “With new 100 percent tariffs the Chinese car business here will sink to zero.”

This upgraded tariff has already had a knock-on effect in the US market. Volvo, for example has delayed the introduction of its Chinese-made EX30 electric crossover as the automaker shifts US deliveries of that vehicle from China to Europe. Though the automaker has not specifically called out the tariff as the reason, it’s likely a contributing factor.

It’s also unclear what affect the tariff will have on currently imported Chinese-made vehicles that are available in the US market. For example, Buick Envision, Lincoln Nautilus and Volvo S90 are built in China and imported to the US. However, these vehicles are not EVs and therefore, would not be subject to the increased tariff. Polestar vehicles are EVs and made in China, so they would be subject to the increased tariff.

For more information on the impact of the new tariff, read the entire Crain’s Chicago Business article HERE. (login required)

The Federal Trade Commission has taken action against online used car dealer Vroom for misrepresenting that it thoroughly examined all vehicles before listing them for sale and failing to obtain consumers’ consent to shipment delays or provide prompt refunds when cars weren’t delivered in the time Vroom promised. Texas-based Vroom has agreed to a proposed settlement that would require the company to pay $1 million to refund consumers harmed by the company’s conduct and prohibit the company from further misleading consumers and failing to provide required disclosures.

“Vroom promised the fast deliveries of thoroughly inspected cars, but sped right past compliance,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Online car dealers and other Internet sellers must provide required disclosures just like any brick-and-mortar businesses that comply with the law.”

In its complaint against Vroom, the FTC alleges that the company failed to follow the Used Car Rule, the Pre-Sale Availability Rule and the Mail, Internet, and Telephone Order Rule (MITOR). Since 2019, Vroom has sold more than 170,000 vehicles to consumers through its website. In its advertising, Vroom said that its cars underwent “multiple inspections” to ensure they were in good condition in an effort to alleviate consumers’ concerns about buying a used car without being able to inspect it before purchasing. Vroom’s website even listed 184 points of inspection that were checked on every car they sold.

Consumer complaints about the company told a different story, according to the FTC’s complaint. Numerous consumers complained about the condition of the cars they received from Vroom, with everything from loud grinding noises, bald tires, and worn brakes being reported. The complaint also notes that Vroom told consumers that cars purchased from the company would be delivered in 14 days or less in its advertising and on its website. Despite making this clear statement, when it couldn’t meet that delivery timeline, Vroom regularly failed to give consumers the chance to either consent to a longer delivery timeline or cancel their purchase and receive a prompt refund, as required by MITOR. The complaint cites instances where consumers have had to wait as much as three months or longer before their car arrived.

As a used car dealer, Vroom also is required to follow the FTC’s Used Car Rule, which includes  a requirement that the dealer properly complete and display a “Buyers Guide” on each used car it offers for sale. The Buyers Guide gives consumers important information about whether the used car comes with a warranty or it is being sold “as is.”

If the car is sold with a dealer’s warranty, the Used Car Rule requires the Buyers Guide to list its basic terms and conditions, including the duration of coverage, the percentage of total repair costs to be paid by the dealer, and the exact systems covered by the warranty. The complaint alleges that Vroom failed to provide the Buyers Guide until late in the purchase process, and that the Guides were often missing required information.

Finally, the complaint alleges that Vroom violated the Pre-Sale Availability Rule because it did not post the terms of its warranty on its website in close proximity to the warranted used vehicle. Nor did Vroom inform customers how they could obtain the warranty’s terms prior to the receipt of the sale documents.

Under the terms of the proposed settlement, Vroom will be required to pay $1 million to the FTC to be used to provide refunds to consumers who were harmed by the company’s unlawful practices.

The settlement also prohibits the company from making misleading claims to consumers about inspections or shipping, and requires Vroom to document all claims about promises it makes about shipping times to consumers, as well as requiring Vroom to follow the requirements of MITOR, the Used Car Rule, and Pre-Sale Availability Rule.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 5-0. The FTC filed the complaint and final order in the U.S. District Court for the Southern District of Texas.

The cyberattack on CDK has highlighted the growing threat of cyberattacks on the automotive industry and the urgent need for enhanced cybersecurity measures. If you have been impacted by the breach or are concerned about your own cybersecurity initiatives, then this webinar is for you. Join KPA and AssuredPartners as Adam Crowell, VP of Legal and Business Development at KPA, and Chris Schrementi, VP of Dealer Services at AssuredPartners, discuss:

Click HERE to watch the Webinar!