Data protection and cybersecurity are a growing concern for companies — particularly dealerships. The following is a summary of the three data protection laws that went into effect or were enacted in 2024.
The NJ Data Protection Act
The New Jersey Data Protection Act (NJ DPA) is a comprehensive consumer data protection law that went into effect on January 15, 2025. The Act applies to organizations that conduct business in New Jersey OR produce products or provide services targeted to New Jersey residents; AND during a calendar year:
- Control or process the personal data of at least 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
- Control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.
The Act excludes financial institutions, data, or affiliates of a financial institution that are subject to the Gramm‑Leach‑Bliley Act (GLBA), which may include auto dealerships that offer consumers financial products or services involving credit, loans, and leases. Entities that do not offer financial services and are not subject to GLBA may be subject to the NJ DPA. The DPA does not apply to employment-related personal data or data collected in the business‑to‑business context. Obligations imposed by the Act on covered businesses include:
- Providing a privacy notice to consumers.
- Responding to consumer requests to access, correct, or delete the personal data collected by the business, or requests to opt out of the business selling that data to a third party or using it to serve online targeted advertising.
- Implementing reasonable safeguards to protect consumer data.
- Contractually obligating service providers with access to the business’ consumer data to implement reasonable safeguards to protect it.
56:12-18.1 (NJ Bill A4723)
Effective January 2024, motor vehicle dealers must offer to delete a consumer’s personal data from a vehicle upon taking possession of the vehicle for resale or lease. The connected nature of vehicles means that certain information systems, (such as navigation history, paired phone, garage door codes, etc.), collect and store consumer personal data. A motor vehicle dealer who violates this law may be subject to a civil penalty of $500 for a first offense and $1,000 for any subsequent offense.
Amendment to the FTC Safeguards Rule
Effective June 2024, motor vehicle dealerships that are subject to GLBA must notify the Federal Trade Commission within 30 days of discovering a security breach that impacts the information of 500 or more consumers. This reporting obligation is in addition to any state data breach notification obligations that may apply. The amendment applies to incidents directly impacting a dealership as well as those impacting a vendor or service provider who has access to or processes information on behalf of the dealership. The breach notification rule supplements the Safeguards Rule requirement that dealerships maintain a comprehensive written information security program to protect customer information and an incident response plan, monitor service providers who have access to or process information on behalf of the dealership, and conduct employee security awareness training. Failure to comply with the Safeguards Rule can result in substantial financial penalties.
Mary T. Costigan and Jason Gavejian are Principals with Jackson Lewis P.C. and members of the firm’s national Privacy, Data and Cybersecurity practice group. Mary and Jason work out of the firm’s Berkeley Heights office and can be reached via email at mary.costigan@jacksonlewis.com and jason.gavejian@jacksonlewis.com.
FAQ: Understanding Ransomware Attacks (and How To Respond)
As dealers are a frequent target of cyberattacks, particularly ransomware attacks, the following are some frequently asked questions to help dealers understand these attacks and how best to respond.
- What types of organizations do ransomware groups target?
It is a popular misconception that ransomware groups attack only large or high-profile targets, or businesses in specific industries. Unfortunately, any organization that has a computer connected to the internet is at risk regardless of their size, industry, or location. Given the vast amounts of personal information that dealerships have access to, they are a popular target for these attacks. - What is a ransomware attack?
During a ransomware attack, “threat actors” gain access to a device, conduct reconnaissance to identify sensitive information, and deploy malicious code to encrypt data or systems to render them unusable. They demand a ransom in exchange for the decryption key (to allow you to access your data) and/or to prevent them from leaking your stolen data on the Internet. - How do threat actors gain access to an organization’s systems?
While there are many ways threat actors can gain access, frequently it is through a phishing email or by exploiting the organization’s remote desk protocol (RDP). - What should dealers do in the event of a ransomware attack?
The initial steps for responding to a ransomware attack can be remembered by the acronym CPR. The first critical step is Containing the incident — in other words, stopping the attack from spreading. The second and third steps run on parallel tracks. These involve Preserving evidence of the attack while Restoring the impacted systems and data so the organization can continue business operations. This evidence will be critical for determining what happened and whether the incident triggers a legal reporting obligation for the organization. - Is an organization immune to a ransomware attack if it has backup data?
Not necessarily. The backup needs to be segregated so that threat actors can’t wipe or encrypt the backup data. Even if the organization has viable backup data, it can take days or weeks to restore from backup, so the likelihood of business disruption is still high. Additionally, while a backup may help the organization get back up and running, the threat actor may still seek a ransom in order to prevent them from leaking any stolen data. - Do dealers need to conduct a forensic investigation of the incident?
Conducting a forensic investigation is generally necessary for determining what happened as well as whether personally identifiable information was impacted. If the organization has cyber coverage, insurance carriers typically require conducting a forensic investigation using an expert third-party forensic investigation firm under the direction of external counsel to protect the investigation under attorney-client privilege. - Is it illegal to pay a ransom?
No, as long as the ransom group is not on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) list. The OFAC list consists of sanctioned individuals, entities, foreign jurisdictions and regimes with whom U.S. citizens and companies are prohibited from doing business. However, the FBI recommends not paying a ransom. - Can dealers negotiate the ransom on their own?
Ransom groups are typically sophisticated international criminals, and we recommend engaging a professional negotiator. These professionals have studied ransom groups and developed strategies for the negotiation process based on analysis of available information from prior group activities. - How is a ransom paid?
Ransom payments are facilitated by professional vendors who typically set up a Bitcoin (or similar cryptocurrency) wallet for the payment once the OFAC check has cleared. - If the ransom is paid, is the attack over?
No. The organization will need to ensure the threat actors are no longer in their systems. In addition, it may take time to restore impacted systems and data. If the organization pays for a decryption key, there is a risk the key may not work, and, in some cases, the encryption activity may have corrupted the data so it cannot be recovered. Additionally, the organization may need to monitor the dark web to determine if the threat actor has released any of the stolen data. - What steps can dealers take to minimize the risk of being the victim of an attack?
There are a number of steps, but the most important include:- Regularly updating the organization’s software and operating systems with the latest patches.
- Removing outdated applications and operating systems. According to CISA, these are the target of most attacks since older systems typically do not have updated security controls.
- Providing employees with regular security awareness training to help minimize the risk of opening attachments or clicking on links in unsolicited or suspicious emails.
- Routinely backing up sensitive data and maintaining it in a segregated offline form.
- Reviewing and updating the organization’s written information security program (WISP) and monitoring compliance. A WISP outlines how the organization will protect certain sensitive information. This is particularly important if the organization is subject to the FTC Safeguards Rule which requires implementing an appropriate written information security program.
- Ensuring the organization’s IT staff has the training and tools needed to keep systems updated and the resources to stay updated on the threat landscape.
- What steps can dealers take to prepare for responding to a ransomware attack?
There are several key steps to consider taking:- Understanding the terms of the organization’s cyber coverage and who to contact in the event of an attack.
- Reviewing and updating the organization’s written Incident Response Plan (IRP). This is not a technical plan but rather an administrative plan that lays out who is on the incident response team, their role and responsibilities, the steps to take during an incident, what contractual and legal reporting obligations may apply (e.g., the FTC’s updated Safeguards Rule and breach reporting obligations), how you will handle internal and external communications, and related information.
- Practicing the IRP.
- Ensuring the organization’s IT team understands how to preserve evidence of the attack.
- Ensuring the organization’s data is regularly backed up, offline, and viable.
- Reviewing and updating the organization’s business continuity plan to prepare for potential disruption to business operations (invoicing, payment processing, etc.).
- What type of reporting obligations for the organization may be triggered by the attack?
This will depend on the organization and the nature of the data impacted. For example, state data breach notification laws may apply depending on the type of personally identifiable information impacted. Notably, the applicable state law(s) will be determined based on the state of residence of the impacted individuals (which may be multiple states and thus multiple laws in scope). The amended FTC Safeguards Rule requires notifying the FTC within 30 days of discovering certain types of data breaches. Organizations that self-fund their employee health or wellness plans may be subject to a notification and reporting obligation under HIPAA if protected health information is impacted. In addition, the organization may have contractual obligations to notify a business partner, bank, or other third party if it experiences a security incident.
Ransomware attacks can cause a wide range of harm to any organization — business interruption, economic loss, reputational harm, investigation and legal costs, and loss of sensitive or proprietary information. Staying informed on the evolving risk landscape, data mapping to understand where the organization’s sensitive data resides, conducting regular system risk assessments, and practicing the Incident Response Plan are basic steps to help strengthen the organization’s resilience and ability to respond in the event of an attack.
For additional information and resources on ransomware attacks, visit the websites for NJ Cybersecurity & Communications Integration Cell, CISA, and FBI.
