Following a public comment period, the Federal Trade Commission approved a final order settling charges against an Iowa-based auto dealer software provider that allegedly failed to take reasonable steps to secure consumers’ data, leading to a breach that exposed the personal information of millions of consumers.
In its complaint, the FTC alleged that LightYear Dealer Technologies, LLC, which does business as DealerBuilt, failed to implement readily available and low-cost measures to protect the personal information it obtained from its auto dealer clients. The FTC alleges these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016, when a hacker gained access to the unencrypted personal information—such as Social Security numbers and other sensitive data—of about 12.5 million consumers stored by 130 DealerBuilt customers.
As part of the settlement with the FTC, DealerBuilt is prohibited from sharing, collecting, or maintaining personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
After receiving one comment, the Commission voted 5-0 to approve the administrative complaint and to accept the consent agreement with DealerBuilt as well as a response to the commenter.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.