National Automobile Dealers Association chairman Charlie Gilchrist recently wrote about how data and digital issues remain a high priority for the organization.
And it appears those topics certainly are being monitored by the Federal Trade Commission, too.
Early this week, the regulator announced an Iowa company that sells software and data services to dealers has agreed to take steps to better protect the data it collects, to settle allegations that the firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers.
In a complaint, the FTC alleges that LightYear Dealer Technologies (doing business as DealerBuilt) failed to implement readily available and low-cost measures to protect personal information it obtained from its dealer clients.
“Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” FTC chairman Joe Simons said in a news release.
“The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third-party assessor’s accountability and providing the FTC with additional tools for oversight,” Simons continued.
Officials recapped that DealerBuilt develops and sells dealer-management system software and data processing services to dealers across the country. The software collects large quantities of personal information about dealership consumers, including names, addresses, birth dates and Social Security numbers. Its payroll software collects similar information from dealership employees, along with bank account information.
The FTC alleged that the personal data DealerBuilt collected was stored and transmitted in clear text, without any access controls or authentication protections.
According to the FTC’s complaint, a DealerBuilt employee connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.
The company never performed any vulnerability scanning, penetration testing or other measures that would have detected the vulnerability, according to the complaint.
The FTC also alleged that DealerBuilt failed to take other steps to protect personal data stored on its network such as developing, implementing or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls.
The regulator went on to allege these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016 over a 10-day period, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The hacker downloaded the personal information of more than 69,000 consumers, including their Social Security numbers, driver’s license numbers and birthdates, as well as wage and financial information.
Officials pointed out DealerBuilt did not detect the breach until it was notified by one of its dealer customers, who demanded to know why its customer data was publicly available on the Internet, according to the complaint. The types of personal information stolen from DealerBuilt — names, addresses and Social Security numbers — are often used to commit identity theft and fraud, the complaint noted.
The FTC alleged that DealerBuilt violated the FTC Act’s prohibition against unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.
As part of the proposed settlement with the FTC, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining or storing personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects.
Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review.
In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
The FTC vote to issue the proposed administrative complaint and to accept the consent agreement with DealerBuilt was 5-0.
The regulator reiterated that it issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the FTC that a proceeding is in the public interest.
When the FTC issues a consent order on a final basis, officials explained it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.