FTC Settles Lax Data Security Charges with Software Seller
Monday, June 17, 2019
FTC Settles Lax Data Security Charges by DealerBuilt
Print Mail Download i

The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in overseeing implementation. The terms include specific instructions for mandatory third-party assessments of the company’s data privacy program using an assessor approved by the FTC, yearly reporting requirements, and imposition of personal responsibility on senior management for compliance with a comprehensive data privacy program.

The FTC’s complaint alleges that DealerBuilt, which licenses its LightYear software management system to car dealerships across the United States, collected and stored a massive amount of personal data but failed to provide reasonable data privacy protections for it. The company’s customers include some of the country’s largest Ford and Honda dealerships. DealerBuilt customers have the option either to license LightYear and use their own server or use DealerBuilt’s backup service, which stores customer data on DealerBuilt’s servers. The FTC alleged that personal information of millions of consumers was left exposed when a hacker gained access to unencrypted data stored in DealerBuilt’s customer backup database in October 2016. The hacker downloaded the personal information of some 69,000 consumers, including Social Security numbers, driver’s license numbers, and payroll details.

Among the additional claims alleged by the FTC are that DealerBuilt failed to:

  • Implement or maintain a written data security policy and reasonable data security guidance or training for employees or third-party contractors;

  • Assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;

  • Use readily available security measures to monitor its systems and assets;

  • Impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access backup databases;

  • Encrypt consumers’ personal information and put in place a reasonable process to select, install, secure, and inventory devices with access to personal information.

Under the terms of the proposed settlement, DealerBuilt is banned from “transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program” that is subject to third-party assessments every two years. Unusually, the order also gives the Commission authority to approve the assessor every two years, and it requires that the assessor present detailed evidence that supports its conclusions via “independent sampling, employee interviews, and document review.” Senior management is obliged to certify that DealerBuilt has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and that certification “is based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.”

The DealerBuilt settlement reflects “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” according to Chairman Joe Simons. By imposing responsibility for compliance on senior executives for the second time in the last month, the DealerBuilt order signals an increased willingness on the part of Commissioners to impose deterrents as well as detailed mandates on companies that do not provide a reasonable level of data security for their customers’ personal information, and the growing role that management accountability is playing in privacy and security cases.

© 2024 Keller and Heckman LLP

Current Legal Analysis

More from Keller and Heckman LLP

March 2024 Bounty Hunter Plaintiff Claims
by: Sophia B. Castillo , Gregory A. Clark
Supreme Court Declines to Review FDA Labeling Preemption for State Claims
by: Food and Drug Law at Keller and Heckman
Consolidated Appropriations Act of 2024 Protects Food Companies Against Lawsuits Targeting Healthy Claims
by: Food and Drug Law at Keller and Heckman
FDA Releases Data on EMA Honey
by: Food and Drug Law at Keller and Heckman
Telecom Alert: Broadband Consumer Labels Program; ACP May Reimbursement; Digital Equity State Capacity Grant; 5 GHz Rules for UAS [Vol. XXI, Issue 16]
by: Jaimy "Sindy" Alarcon , Jim Baller
Advance Notice, Potential Showcasing of Third-Party Representatives, and Other Impacts of OSHA’s Walkaround Rule
by: Lawrence P. Halprin
FDA Publishes Draft Guidance on NDIN Master Files
by: Food and Drug Law at Keller and Heckman
Telecom Alert: Robocall Spring Cleaning Initiative; NIST Cybersecurity Handbook; 6 GHz Interference Concern; New NEPA Categorical Exclusions [Vol. XXI, Issue 15]
by: Jaimy "Sindy" Alarcon , Jim Baller
CTP Releases New 5-year Strategic Plan
by: Azim Chowdhury
FDA Revokes Standard of Identity for Frozen Cherry Pie
by: Food and Drug Law at Keller and Heckman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins