On June 12, 2019, the Federal Trade Commission announced a settlement with LightYear Dealer Technologies, LLC (doing business as DealerBuilt), a Missouri company that develops and sells dealer-management system software services to automobile dealers. The settlement, once final, will resolve allegations that the company’s inadequate data security led to a breach in which millions of consumers’ data was exposed, in violation of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Federal Trade Commission’s Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (“GLB”) Act, 15 U.S.C. § 6801 et seq.
The FTC alleged in its complaint that an employee of the company connected a storage device to the backup network but failed to ensure that the device was securely configured, exposing the data collected by the DealerBuilt software – which included social security numbers, birth dates, and addresses – for 18 months. According to the FTC, the company:
- failed to perform tests that would have detected the vulnerability;
- did not develop, implement or maintain an adequate information security policy;
- did not properly train employees in information security;
- failed to assess and understand the security risks to personal information stored on its systems;
- failed to put security measures in place to monitor its systems;
- stored personal information in plain text;
- failed to implement a device management policy; and
- did not impose reasonable data access controls.
The FTC asserts that these deficiencies led to a breach of the company’s back-up database, during which, over a 10-day period, a hacker stole the unencrypted personal information of over 12 million consumers.
The proposed settlement, which will become final following a 30-day comment period, when a final decision will be published by the FTC, prohibits LightYear/DealerBuilt from collecting or storing personal information unless it implements a comprehensive information security program. The settlement also requires a bi-annual assessment of the company’s data security program by a third-party assessor approved by the FTC.