CDK cyberattacks cripple the automotive industry
In the past several years, dealers have had to deal with a plethora of disruptions to their businesses, including COVID-19, supply chain issues, semiconductor chip shortages, and now cyberattacks. On June 19, 2024, CDK Global, Inc. (“CDK”), a dealership DMS provider holding a majority of its relevant market share, was brought to its knees by ransomware cyberattacks. Out of an abundance of caution, CDK took all of its systems offline, significantly disrupting the operations of more than 15,000 dealerships across North America. On June 21, 2024, Bloomberg News and Reuters reported that Blacksuit, a well-known cybercriminal team, was behind the ransomware attack.
As of the date of this article, the core functions of CDK are back online with the exception of certain third-party applications. CDK has been very careful about what details it shares with the public about the cyberattacks—presumably to protect itself from forthcoming litigation. While insufficient confirmed facts prevent full analysis at this time, the discussion below may provide helpful information to dealers concerned about preserving, and understanding, their rights under these circumstances.
Litigation against CDK
Given the devastating effects of the CDK ransomware attack, it is no surprise that there have been numerous lawsuits filed against the DMS software provider. As of the date of this article, dealerships, dealership retail employees, and consumers are among the plaintiffs in the 10 federal lawsuits filed against CDK. Allegations in these lawsuits include negligence, negligence per se, unjust enrichment, contractual breaches, and breaches of fiduciary duty.
There are currently two separate ongoing cases involving dealerships. The first lawsuit involves a Mississippi based Buick-GMC dealership that alleges that the dealership was not able to conduct regular business, thus causing significant business interruption and lost revenues. The second lawsuit involves a multi-dealership lawsuit alleging CDK was negligent in protecting its users and stating that sensitive personal data was shared with cybercriminals, causing those dealerships to suffer reputational damages. Both lawsuits request their respective courts allow class-action status to be applied to their cases, varying slightly in how the respective classes are to be defined, but both having the overall theme of businesses that suffered losses from the cyberattacks.
As of the date of this article, CDK has not filed a response to any of the complaints filed, but it is anticipated their responses to these lawsuits will provide critical details on the data privacy and security controls that were in place when the cyberattacks occurred. How adequate those privacy and security controls were will likely be the dispositive issues in these cases.
CDK Master Services Agreement
Although potentially customized and of a different vintage for each dealer, we looked at a copy of CDK’s Master Services Agreement (the “MSA”) to see how it addresses CDKs privacy and cybersecurity obligations and liability. Language in the MSA requires CDK to maintain reasonable security measures to prevent unauthorized access to, or loss or alteration of, dealership client data and to protect dealership client data consistent with applicable state and federal laws. However, importantly, the MSA explicitly states that CDK does not guarantee against any unauthorized access or loss of dealership client data. As such, it is anticipated that analysis of CDK’s contractual liability will focus heavily on whether CDK maintained “reasonable security measures” to prevent cyberattacks.
Even if CDK were to be found in breach of its safeguarding obligations under the MSA, pursuing damages is further complicated by the limitations on liability provisions in the MSA. For example, the MSA provides that CDK would, regardless of the legal claim, be liable only for the lesser of either (1) the amount of actual damages incurred by the dealership or (2) an amount equal to one month’s average monthly payment to CDK averaged over the prior 12-month period. The MSA also contains language that CDK would not be responsible, under any circumstances, for loss profits or interruption to a dealership’s business, especially those that are out of CDK’s reasonable control. While an analysis of whether the cyberattack was outside of CDK’s reasonable control requires additional factual information not yet made available, CDK has an arsenal of liability-reducing protections in the MSA.
Moreover, the MSA contains a mandatory arbitration clause with an Illinois choice of law. Whether the arbitration clause is subject to attack or is not applicable for certain claims remains to be seen. However, claims that are subject to arbitration generally cannot be pursued on a class action basis.
Liability limitations
Whether a particular contract is categorized as one for the sale of goods, versus the sale of services, has substantial implications on the enforceability and interpretation of many provisions of a contract. Whereas Article II of the Uniform Commercial Code (the “UCC”) governs the sale of goods, common law generally governs the sale of services. Whether CDK’s DMS product is categorized as a good or service may affect the enforceability of limitations of liability in the MSA.
The UCC provides that limitation of liability provisions, like the one discussed in the MSA above, can be found unenforceable if the contract “fails of its essential purpose.” Therefore, assuming the court finds CDKs DMS product to qualify as a good, dealerships may have remedies like incidental and consequential damages (i.e. lost profits) available to them—regardless of any contradicting language in the MSA—since the essential purpose of the product, the DMS, was completely unavailable to dealers. Under common law, significantly more deference is given to the actual language in the underlying agreement between the parties and that language will generally not be circumvented unless the contract is found to be unconscionable. Even then, deference is subject to being eliminated or reduced based upon a variety of factors, including whether any statutory or regulatory provisions impinge on the services being offered. Here, the plethora of existing state and federal privacy and data security laws – and the public policies they serve – will certainly be important to factor into the analysis.
Generally, a predominant purpose test is used to determine whether a contract is interpreted to be one for the sale of a product or a service. Many factors are taken into account, and prior court precedent is taken into consideration. Interestingly, in an earlier court battle, where CDK was facing antitrust allegations, a court declined to find that the CDK DMS product was a “good” (In re Dealer Management Systems Antitrust Litigation (N.D. Ill. 2019) 362 F.Supp.3d 510, 550), so this issue is far from settled.
Compliance with California Law
In apparent recognition that dealers cannot run their businesses in compliance with applicable privacy and cybersecurity laws without the proper operation of their DMS systems, and do not have the bargaining power to support a presumption that DMS contracts are fair and balanced, California enacted Vehicle Code Section 11713.25, which provides as follows:
- A computer vendor shall not do any of the following:
- Access, modify, or extract information from a confidential dealer computer record or personally identifiable consumer data from a dealer without first obtaining express written consent from the dealer and without maintaining administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information.
-
- Except as provided in subparagraph (B), require a dealer as a condition of doing or continuing to do business, to give express consent to perform the activities specified in paragraph (1).
- Express consent may be required as a condition of doing or continuing to do business if the consent is limited to permitting access to personally identifiable consumer data to the extent necessary to do any of the following:
- To protect against, or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, or to protect against breaches of confidentiality or security of consumer records.
- To comply with institutional risk control or to resolve consumer disputes or inquiries.
- To comply with federal, state, or local laws, rules, and other applicable legal requirements, including lawful requirements of a law enforcement or governmental agency.
- To comply with lawful requirements of a self-regulatory organization or as necessary to perform an investigation on a matter related to public safety.
- To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.
- To make other use of personally identifiable consumer data with the express written consent of the consumer that has not been revoked by the consumer.
- Use electronic, contractual, or other means to prevent or interfere with the lawful efforts of a dealer to comply with federal and state data security and privacy laws and to maintain the security, integrity, and confidentiality of confidential dealer computer records, including, but not limited to, the ability of a dealer to monitor specific data accessed from or written to the dealer computer system. Waiver of this subdivision or purported consents authorizing the activities proscribed by the subdivision is void.
- A dealer shall have the right to prospectively revoke an express consent by providing a 10-day written notice to the computer vendor to whom the consent was provided or on any shorter period of notice agreed to by the computer vendor and the dealer. An agreement that requires a dealer to waive its right to prospectively revoke an express consent is void.
- For the purposes of this section, the following terms mean as follows:
- “Confidential dealer computer record” means a computer record residing on the dealer's computer system that contains, in whole or in part, any personally identifiable consumer data, or the dealer's financial or other proprietary data.
- “Computer vendor” means a person, other than a manufacturer, manufacturer branch, distributor, or distributor branch, who in the ordinary course of that person's business configured, sold, leased, licensed, maintained, or otherwise made available to a dealer, a dealer computer system.
- “Dealer computer system” means a computer system or computerized application primarily designed for use by and sold to a motor vehicle dealer that, by ownership, lease, license, or otherwise, is used by and in the ordinary course of business of a dealer.
- “Express consent” means the unrevoked written consent signed by a dealer that specifically describes the data that may be accessed, the means by which it may be accessed, the purpose for which it may be used, and the person or class of persons to whom it may be disclosed.
- “Personally identifiable consumer data” means information that is any of the following:
- Information of the type specified in subparagraph (A) of paragraph (6) of subdivision (e) of Section 1798.83 of the Civil Code.
- Information that is nonpublic personal information as defined in Section 313.3(n)(1) of Title 16 of the Code of Federal Regulations.
- Information that is nonpublic personal information as defined in subdivision (a) of Section 4052 of the Financial Code.
- This section does not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer.
Note that subsection (a)(1) effectively requires each DMS provider to maintain administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information. It would be surprising if a court read this provision to allow anything less than “reasonable” safeguards to satisfy CDK’s obligation.
Note also that subsection (a)(3) bans efforts by the DMS vendor, even contractual efforts, to limit the dealer’s ability to maintain its data security. The last sentence of subsection (a)(3) also appears to prohibit waivers of the duties of the DMS vendor under subdivision (a) of section 11713.25. These anti waiver provisions could be asserted to negate limitation of liability provisions contained in CDK agreements. Research will determine whether similar arguments might also be made based on provisions found in federal statutes and in the laws of other states.
It is hoped that more information about how CDK’s system was penetrated and the extent of any data breach or loss will soon become available. In the meantime, it may behoove dealers to refrain from accepting any “compensation” from CDK unless accompanied by an express reservation of all rights signed by CDK. At the same time, dealers would be well served to keep good business records regarding any losses, costs, or expenses they incurred by reason of the CDK outages.