Lightyear Dealer Technologies (operating as DealerBuilt) left confidential personal details of millions of people exposed online without the proper security precautions and at least one hacker managed to download the names, social security numbers and payroll details of at least 69,000 of its customers. The Federal Trade Commission (FTC) settled the case but imposed no fine on DealerBuilt. Instead, the FTC required the company to hire an outside firm to assess its cybersecurity program every two years. The FTC also required DealerBuilt’s senior officers to certify compliance every year.
FTC officials said that the settlement was part of the federal agency’s move to make company officers more cognizant of their responsibilities to their clients and to make clear their personal accountability.
Sara Merken filed this report for Bloomberg Law:
“The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight,” FTC Chairman Joe Simons said in a statement announcing the order.
DealerBuilt didn’t immediately respond to a request for comment. DealerBuilt’s inadequate data security practices led to a 2016 breach of its backup database that exposed 12.5 million individuals’ personal information, the FTC said. A hacker gained access to the unencrypted information and downloaded the data of more than 69,000 people, the agency said.
The Iowa-based company, which sells dealer-management system software and other services to auto dealers, allegedly violated the prohibition against unfair practices in the FTC Act, as well as the Gramm-Leach-Bliley Act’s Safeguards Rule that requires financial institutions to have a comprehensive information security program.
The company cannot transfer, sell, collect, or store personal information unless it creates an information security program to protect that data, under the terms of the proposed settlement. The company also must establish additional safeguards to address the FTC allegations.
The company cannot transfer, sell, collect, or store personal information unless it creates an information security program to protect that data, under the terms of the proposed settlement. The company also must establish additional safeguards to address the FTC allegations.
