Data security settlement with service provider includes updated order provisions

The domino principle. The ripple effect. The butterfly phenomenon. Apply the analogy of your choice to describe what happens when one software developer’s allegedly lax security practices result in the breach of confidential customer information maintained by multiple businesses that use the software. If your business is a service provider – or if your company uses third-party service providers to help manage your data – a proposed FTC settlement merits your attention. One notable aspect of the case: a proposed order that includes new data security requirements reflecting the current Commission priority of updating its data security orders.

Many third-party service providers sell industry-specific data management software to consumer-facing businesses. One example is DealerBuilt, software for auto dealers developed by LightYear Dealer Technologies. DealerBuilt is a big name in the business, numbering some of the largest dealerships in the country as clients. Dealerships that license DealerBuilt’s software collect and maintain large amounts of sensitive financial, payroll, accounting, and other information about consumers and employees. Dealers who use the software can have DealerBuilt host their data or they can host it on their own servers. Businesses that choose the second option regularly back up their databases onto DealerBuilt’s network.

Before getting to the inevitable information uh-oh that led to law enforcement action, let’s hit pause to consider some of DealerBuilt’s practices during the time relevant to the FTC’s proposed administrative complaint. According to the FTC:

• DealerBuilt stored information in clear text, without any access controls or authentication protections like passwords or tokens. Data transmitted between dealerships and DealerBuilt’s backup database was in clear text, too.
• DealerBuilt didn’t have a written information security policy in place.
• DealerBuilt didn’t provide reasonable data security training for employees or contractors.
• DealerBuilt didn’t assess risks to the sensitive data on its network by conducting periodic risk assessments or performing vulnerability and penetration testing.
• DealerBuilt didn’t use readily available security measures to monitor – among other things – unauthorized attempts to transfer sensitive information.
• DealerBuilt didn’t put reasonable data access controls in place – for example, systems to limit inbound connections to known IP addresses or require authentication to access backup databases.
• DealerBuilt didn’t have a reasonable process to select, install, and secure devices with access to personal information.

Against that backdrop of alleged security failures, what happened next shouldn’t come as a surprise. To increase available backup storage, a DealerBuilt employee bought a storage device and installed it on the company’s network in April 2015. According to the FTC, DealerBuilt management didn’t take steps to ensure the device was set up securely. Had someone checked, they would have learned the device created an open connection port that allowed transfers of information.

Fast forward to late October 2016 when a hacker “walked through” that open port to gain unauthorized access to DealerBuilt’s backup database, including the unencrypted personal information of more than 12 million consumers that 130 of its client dealerships had stored with the company. The hacker attacked the system multiples times, downloading the personal information of 69,283 consumers and the entire backup directories of five dealerships. And that’s not all because for a substantial period of time, DealerBuilt’s insecure settings were indexed on a public website hackers use to locate insecure connected devices. What was ultimately stolen? Among other things, consumers’ Social Security numbers, driver’s license numbers, and dates or birth, as well as wage and financial information about dealership employees – five-star favorites of identity thieves.

DealerBuilt learned about the breach on November 7, 2016, when a dealership called, demanding to know why customer data was publicly accessible on the internet. According to the FTC, it wasn’t until a reporter told DealerBuilt about the security vulnerability that the company became aware of the open port on its storage device.

Count 1 of the complaint should look familiar to FTC watchers. The FTC alleges that the company’s failure to employ reasonable security measures was an unfair practice, in violation of the FTC Act. Count 2 is worth special mention because DealerBuilt meets the Gramm-Leach-Bliley Act’s definition of “financial institution.” That triggers compliance with the GLB Safeguards Rule, which the FTC alleges DealerBuilt violated by – among other things – failing to develop, implement, and maintain a written information security program; failing to identify reasonably foreseeable risks to the security, confidentiality, and integrity of customer information; and failing to implement basic safeguards and regularly test their effectiveness.

To settle the case, the company has agreed to a proposed order that includes noteworthy new provisions you’ll want to review carefully. Like the orders in the Clixsense and iDressup cases announced in April, the proposed order in this case requires a senior DealerBuilt officer to provide the FTC with annual certifications of compliance. The order also requires DealerBuilt to implement specific, enforceable safeguards that address the issues alleged in the complaint – for example, requiring the company to conduct yearly employee training, monitor its systems for data security incidents, implement access controls, and inventory devices on its network. In addition, the proposed order makes significant changes to further improve the accountability of the third-party assessor responsible for reviewing DealerBuilt’s data security program. What’s more, the order gives the FTC increased access to documents and other materials upon which the assessor bases his or her conclusions.

Why the updated settlement terms? The more specific order provisions, the mandatory senior management focus on security issues, the in-depth “look under the hood” evaluation required of assessors, and new FTC monitoring tools are all designed to ensure order compliance and – if necessary – enforcement.

Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days. What can other companies take from the case?

Train and supervise your employees to be security-centric. Designating someone to be in charge of security at your business is a start, but it doesn’t mean you then get to pretend that vulnerabilities don’t exist. Companies that handle consumers’ sensitive personal information have a responsibility to consider security all along the way. Conduct staff training appropriate to the nature of your business and update it to reflect current risks and threats. What’s more, make sure someone is supervising the supervisors whose decisions have a big impact on security at your company.

Exercise care when installing devices with network access. Like sticking a finger in a socket, adding certain devices to your system runs the risk of inflicting a substantial shock. Think through the security implications and make sure any device is properly installed.

GLB coverage is broad. The phrase “financial institution” may conjure up images of passbooks, tellers, and pens chained to tables, but that’s not how the Gramm-Leach-Bliley Rules define the term. Consider whether your business could be a financial institution subject to the GLB Safeguards Rule.

If your company uses third-party software or providers, build security into your contracts. Even if another company’s conduct is implicated in a breach, your customers’ information could be at risk and they’ll want to know what you did to protect them. As the FTC’s publication Start with Security suggests, when entrusting data to third-party service providers, spell out your security expectations, monitor what they’re doing on your behalf, and follow websites that report on known vulnerabilities.

Service providers are accountable for protecting the personal data they collect and store. Even if your operations are behind the scenes, you still may be liable for violations of the law. If you handle sensitive consumer data on behalf of other companies, security should be front and center.