July 15, 2019

July 15, 2019

Subscribe to Latest Legal News and Analysis

FTC Settles Lax Data Security Charges with Software Seller

The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in overseeing implementation. The terms include specific instructions for mandatory third-party assessments of the company’s data privacy program using an assessor approved by the FTC, yearly reporting requirements, and imposition of personal responsibility on senior management for compliance with a comprehensive data privacy program.

The FTC’s complaint alleges that DealerBuilt, which licenses its LightYear software management system to car dealerships across the United States, collected and stored a massive amount of personal data but failed to provide reasonable data privacy protections for it. The company’s customers include some of the country’s largest Ford and Honda dealerships. DealerBuilt customers have the option either to license LightYear and use their own server or use DealerBuilt’s backup service, which stores customer data on DealerBuilt’s servers. The FTC alleged that personal information of millions of consumers was left exposed when a hacker gained access to unencrypted data stored in DealerBuilt’s customer backup database in October 2016. The hacker downloaded the personal information of some 69,000 consumers, including Social Security numbers, driver’s license numbers, and payroll details.

Among the additional claims alleged by the FTC are that DealerBuilt failed to:

  • Implement or maintain a written data security policy and reasonable data security guidance or training for employees or third-party contractors;

  • Assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;

  • Use readily available security measures to monitor its systems and assets;

  • Impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access backup databases;

  • Encrypt consumers’ personal information and put in place a reasonable process to select, install, secure, and inventory devices with access to personal information.

Under the terms of the proposed settlement, DealerBuilt is banned from “transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program” that is subject to third-party assessments every two years. Unusually, the order also gives the Commission authority to approve the assessor every two years, and it requires that the assessor present detailed evidence that supports its conclusions via “independent sampling, employee interviews, and document review.” Senior management is obliged to certify that DealerBuilt has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and that certification “is based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.”

The DealerBuilt settlement reflects “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” according to Chairman Joe Simons. By imposing responsibility for compliance on senior executives for the second time in the last month, the DealerBuilt order signals an increased willingness on the part of Commissioners to impose deterrents as well as detailed mandates on companies that do not provide a reasonable level of data security for their customers’ personal information, and the growing role that management accountability is playing in privacy and security cases.

© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions. 

202-434-4234