September 16, 2021

Volume XI, Number 259

Advertisement

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

September 13, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

DealerBuilt Settles with New Jersey Over Data Breach

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees.

DealerBuilt notified impacted individuals in early 2017. The New Jersey investigation arose after that notification. To resolve the investigation, DealerBuilt agreed with the AG to put in place a written security program within 120 days after the effective date of the order. Such programs are not required under New Jersey law. As part of that program, DealerBuilt agreed to have appropriate physical safeguards, encryption, access protocols and other similar security measures, as well as to appoint an officer experienced in security to implement and maintain the program. DealerBuilt also agreed to keep information only for the purposes needed to “accomplish the intended purpose” of DealerBuilt or its clients. DealerBuilt will pay a little over $80,000 as part of the settlement.

Putting it Into Practice: This order gives companies some insight into what the New Jersey attorney general expects of companies with respect to data security, including a written security program, even absent a New Jersey law requiring written security programs (which exist in other states, like Massachusetts).

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 302
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney
Associate

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

202-747-2658
Advertisement
Advertisement
Advertisement