June 18, 2019

FTC announces settlement with automobile dealer software systems company

On June 12, 2019, the Federal Trade Commission announced a settlement with LightYear Dealer Technologies, LLC (doing business as DealerBuilt), a Missouri company that develops and sells dealer-management system software services to automobile dealers.  The settlement, once final, will resolve allegations that the company’s inadequate data security led to a breach in which millions of consumers’ data was exposed, in violation of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Federal Trade Commission’s Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (“GLB”) Act, 15 U.S.C. § 6801 et seq.  

The FTC alleged in its complaint that an employee of the company connected a storage device to the backup network but failed to ensure that the device was securely configured, exposing the data collected by the DealerBuilt software – which included social security numbers, birth dates, and addresses – for 18 months.  According to the FTC, the company:

  • failed to perform tests that would have detected the vulnerability;
  • did not develop, implement or maintain an adequate information security policy;
  • did not properly train employees in information security;
  • failed to assess and understand the security risks to personal information stored on its systems;
  • failed to put security measures in place to monitor its systems; 
  • stored personal information in plain text; 
  • failed to implement a device management policy; and
  • did not impose reasonable data access controls.

The FTC asserts that these deficiencies led to a breach of the company’s back-up database, during which, over a 10-day period, a hacker stole the unencrypted personal information of over 12 million consumers.

The proposed settlement, which will become final following a 30-day comment period, when a final decision will be published by the FTC, prohibits LightYear/DealerBuilt from collecting or storing personal information unless it implements a comprehensive information security program.  The settlement also requires a bi-annual assessment of the company’s data security program by a third-party assessor approved by the FTC.