In November 2025, it was reported that 700Credit, a provider of credit-related services, suffered a significant data breach potentially affecting more than eight million customer records. The alleged impacted information includes consumers’ names, addresses, and Social Security numbers.  This breach involved information copied from 700Credit’s web-based application 700Dealer.com between May and October 2025.

As dealers know, a data breach may trigger notice requirements under both state and federal law.  Under the Federal Safeguards law, a breach involving 500 or more individuals’ information will trigger a requirement that dealers notify the Federal Trade Commission. At the urging of OADA and other dealer associations, NADA worked with 700Credit and the FTC to ensure that the 700Credit will be allowed to file a consolidated breach notice on behalf of all its dealer-clients.  See the alert here.

Similarly, under Ohio law, to determine whether an obligation to notify consumers exists, a dealer first needs to know (1) the information that was compromised, (2) the number of individuals affected, and (3) the names of those individuals.  At this time, OADA recommends that dealers who use 700Credit reach out directly to 700Credit to request more information on the scope of the breach and how the breach may have impacted the dealership’s customers. We also recommend contacting legal counsel and your insurance company to discuss the obligations you may have to your impacted customers.

To assist dealers with understanding their obligations, here is a summary of data breach notification requirements under Ohio law and recommendations you can put in place now.

Ohio's Security Breach Notification Act (ORC 1349.19)

Under Ohio’s Security Breach Notification Act, consumers must be notified of any security breach to stored “personal information”.  A breach is defined as the “unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.”  A resident is any individual whose principal mailing address as reflected in the business’ records is Ohio.

“Personal Information” is defined as an individual’s first name or first initial and last name, in combination with any of the following data points if the data is not encrypted, redacted, or altered to make them unreadable:

• Social Security Number
• Driver's License Number or State ID Card Number
• Account Number, Credit or Debit Card Number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Notification to consumers should be made as soon as possible but not later than forty-five days following discovery or notification of the breach, subject to the legitimate needs of law enforcement activities and consistent with any measures necessary to determine the scope of the breach, including which personal information was accessed and acquired, and to restore the reasonable integrity of the data system.

Notice to consumers may be provided by any of the following methods:

• Written notice.
• Electronic notice, if the person's primary method of communication with the consumer was by electronic means.
• Telephone notice.

Substitute notification provisions apply if it can be demonstrated that notice cannot be provided by the means described above due to a lack of sufficient contact information, or that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed $250,000, or that the affected class of residents to whom disclosure or notification is required exceeds 500,000 people. Substitute notice requires of all the following:

• Electronic mail notice if the person has an electronic mail address.
• Conspicuous posting of the disclosure or notice on your web site.
• Notification to major media outlets, to the extent that the cumulative total of the readership, viewing audience, or listening audience of all the outlets so notified equals or exceeds seventy-five per cent of the population of Ohio.

If circumstances arise that require disclosure to more than 1,000 residents involved in a single occurrence of a breach of the security of the system, then there exists an additional obligation to notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given to consumers. This notice should be given without unreasonable delay.

The Ohio Attorney General has the authority to investigate and bring a civil action for any alleged failure to comply with these notification requirements.

Steps to Take Now

Dealers should start by getting more details from 700Credit, such as 1) identifying the dealership’s customers, if any, that were impacted by the breach; 2) requesting what dealership-provided information was impacted; and 3) requesting what notices, if any, are being sent to those customers, state agencies, or credit reporting agencies by 700Credit.

Dealers should also do the following:

1. Notify legal counsel and insurance providers to discuss the notice requirements that may need to be sent to customers, and your state/federal reporting requirements.
   
   
2. Proactively taking the steps necessary to protect your customers and the dealership by:
   
   1. Reviewing and updating dealership's risk assessments to include all risks, including cybersecurity risks inherent to your business, the controls you have in place to mitigate those risks, and how you will address any residual risk.
   2. Be vigilant in training employees regarding phishing attempts.
   3. Work with your cyber/IT professionals to test for vulnerabilities to your data security systems.
   4. Review vendor contracts for provisions related to indemnification and damages, as well as their obligations to safeguard customer data.
   5. Continue monitoring your vendors.

Helpful Resources

The Federal Trade Commission publication for businesses who have experienced a data breach includes good advice on assembling a breach response team, fixing vulnerabilities, and includes a Model Letter for notifying consumers whose Social Security Numbers have been stolen, among other good advice.  Review Data Breach Response:  A Guide for Business with your staff. 

Also, OADA’s partners are here to help.  ComplyAuto is OADA’s partner for cybersecurity/privacy/Safeguards Rule compliance.  ComplyAuto’s CEO, Brad Miller, published an article detailing the events of the 700Credit breach. As a reminder, ComplyAuto customers have access to Data Breach Wizard within the ComplyAuto software that will you through the complicated question you to answer regarding the scope of the breach at your dealership.

Please review NADA’s NADA Safeguards Rule Driven Guide and FTC Cybersecurity Basics for additional information.

We will continue to provide additional information as it becomes available.  Please contact Sara Bruce, Vice President of Legal Affairs, at sbruce@oada.com or 614-923-2243, or Matthew Smallwood, Staff Counsel, at msmallwood@oada.com or 614-923-2232, with any questions.