Background

In December 2025, 700Credit confirmed that a data breach occurred within its systems between May and October 2025, affecting dealer customer data. The breach resulted in the unauthorized exposure of unencrypted personal information, including names, addresses and Social Security numbers, to third parties.

According to 700Credit, the breach occurred when a third-party API (Application Programming Interface) was improperly exposed, allowing unauthorized access to sensitive data. The data was reportedly encrypted when stored, but because the third party obtained the API key, it was exposed to third parties in an unencrypted manner.

Fundamental Dealer Obligations for Data Breaches

Unfortunately, the automotive retail industry — like many sectors — has experienced numerous large-scale data breaches in recent months. This incident serves as an important reminder of dealers’ core legal obligations:

Under federal and state law, dealers must:

• Protect customer data maintained in their systems;
• Preserve the privacy of customer information; and
• Provide required notifications when breaches occur

When a breach of customer data occurs, dealers have a federal duty to notify the Federal Trade Commission (FTC), as well as any state law obligations to notify affected consumers, state agencies, and other specified parties.

For comprehensive information on related compliance requirements, visit www.complyauto.com for resources on the FTC Safeguards Rule, FTC Privacy Rule, New Jersey Data Privacy Act, and state data breach notification laws.

Unique Challenges When Breaches Occur at Vendor Systems

A critical complicating factor in this incident is that the breach occurred not within dealer-controlled systems, but at a third-party vendor. This distinction raises several important considerations for dealers.

Dealers Retain Notification Obligations — Even When Breaches Occur at Vendors
The FTC and all 50 states have enacted data breach notification laws, though they differ significantly. Many ComplyAuto dealers have utilized the ComplyAuto Data Breach Wizard to navigate their jurisdiction-specific legal obligations. This comprehensive tool guides users through potential federal requirements and obligations across all states.

Critical Principle: In all cases, the dealer — not the vendor — bears the ultimate obligation to notify the FTC, state attorneys general, and affected consumers.

However, vendors may handle these notifications on behalf of dealers if the vendor agrees to assume this responsibility. For agency notices, the relevant state and federal agencies permit the third party to file notices on the dealer’s behalf.

When vendors send notices on dealers’ behalf, the communications should generally reflect that the dealer is issuing the notice. In other words, notifications should be sent “from the dealership”, even when the vendor manages distribution.

Additionally, important distinctions may exist between consumer notices and those issued by the attorney general or a state agency. During this breach incident, dealers in different states had varying experiences with state agencies. Some attorneys general permitted 700Credit to file notices on dealers’ behalf, while others declined or only agreed after intervention from state automobile trade associations.

Dealers Require Prompt and Detailed Information from Vendors

In situations like this, rapid communication is essential. Both federal and state notification requirements impose aggressive timing mandates. Dealers must inform affected consumers as quickly as possible — in most cases, within 30 days. These timelines are designed to serve the statutes’ fundamental purpose: alerting consumers that their data is at risk and enabling them to take protective measures.

To meet these requirements, dealers need prompt answers to the following questions:

1. What happened? (At minimum, a general description of the incident)
2. Was the data encrypted when accessed? This is a critical threshold question in almost all jurisdictions.
3. Does the vendor know, with reasonable certainty, the scope of affected data?
4. Were dealer systems compromised? Could they have been?
5. What specific data was impacted? (Names, addresses, Social Security numbers, etc.) Each state has different rules regarding which data elements trigger notification requirements.
6. How many of your dealership’s customers were affected? Who are they? This presents a unique challenge with vendor breaches, where customer data from multiple dealers often resides in a single database.

Dealers need to know right away what happened and which of their customers were affected, or may have been affected, to fulfill their notification obligations and determine whether specific legal thresholds have been met.

Dealers Must Exercise Due Diligence in Vendor Selection and Oversight

Remember as well that while dealers may outsource to technology vendors, dealers remain responsible for the activity of those vendors and must follow certain processes when selecting and overseeing vendors. Dealers are responsible for:

• Conducting thorough due diligence when selecting vendors;
• Establishing contracts that clearly define vendors’ data protection responsibilities and breach cooperation obligations; and
• Monitoring vendors to ensure promised protections are implemented and maintained

While these practices must be established before a breach occurs, when incidents do happen, dealers should use them as opportunities to evaluate the breach’s impact, assess the vendor’s response, and consider implications for the ongoing relationship.

Dealers Must Incorporate Vendor Breach Considerations Into Information Security Plans

The FTC Safeguards Rule requires dealers to create comprehensive plans ensuring that sensitive personal data is protected, whether maintained in internal systems or at vendor locations. When a breach occurs at a vendor, dealers must evaluate the implications for their data security posture.

This evaluation should include:

• Understanding the nature and cause of the breach;
• Obtaining assurances that the vulnerability has been fully remediated; and
• Assessing whether the vendor presents an unreasonable ongoing risk to data security

Dealers should document these assurances from the affected vendor and include this analysis in their annual board reports to demonstrate proper due diligence in vendor management. Use this incident as an important opportunity to comprehensively review your current vendor relationships, particularly those involving third-party integrations.

ComplyAuto Resources and Support

ComplyAuto’s Privacy solution provides comprehensive tools to address these challenges, including:

• 50-State Breach Notification Wizard: Navigate complex federal and state-specific requirements, whether the incident occurs at a vendor or at the dealership, using the only tool of its kind in the industry
• Vendor Management Tools: Properly oversee and document third-party relationships, including the critical contract amendments and oversight required for all vendors
• Policy Management: Maintain current, compliant policies
• Annual Board Reporting: Fulfill Safeguards Rule documentation requirements
• Staff Training: Ensure your team understands their obligations
• State Privacy Law Compliance: Address evolving state-level requirements, including those under the New Jersey Privacy Act (NJPA)
• Online Tracking Technology Tools: Manage litigation risks and maintain full compliance at the federal and state levels

For dealers not currently using ComplyAuto Privacy, contact ComplyAuto today to partner with the dealership compliance experts and the endorsed provider of NJ CAR for dealership privacy compliance.

This article is provided for informational purposes and does not constitute legal advice. Dealers should consult with qualified legal counsel regarding their specific obligations and circumstances.