What’s the News?
The FTC’s complaint alleges that DealerBuilt was found to have taken inadequate steps to protect personal data in its care, leading to a breach of 12.5 million consumers’ data. Accordingly, DealerBuilt may now be forced to comply with a FTC order imposing several security program requirements, more detailed than those typically delineated for unfair and deceptive trade practices and violations of the Gramm-Leach-Bliley’s Safeguards Rule.
Where DealerBuilt Went Left
DealerBuilt is a dealer-management system (DMS) service provider and provides software to automotive dealerships across the country. The software collected in the DMS system includes consumer information such as names, addresses, dates of birth, and Social Security Numbers. In addition to consumer data, DealerBuilt also provides a payroll system for dealership employees that, in addition to the information collected from consumers, also stores bank account information.
Despite the sensitive information trusted to DealerBuilt, the FTC alleges that the company stored and transmitted such information in clear text (unencrypted) and failed to implement access controls or authentication procedures to protect against unauthorized access and/or acquisition of the personal data. Further, no penetration testing or vulnerability scans were conducted to detect unauthorized access. These failures resulted in the company allowing an insecure storage device to be connected to its system and a hacker to enter the system and access unencrypted personal information of close to 12.5 million consumers, downloading the information of more than 69,000. The breach went undetected by DealerBuilt until it was informed by one of its auto dealer clients.
Given the allegations above, the FTC has proposed a settlement with DealerBuilt that will require the company to update its security practices. Appropriate safeguards suggested by the FTC include requirements for DealerBuilt to:
- Implement a written information security program and ensure that the company’s senior management is provided with the written plan at least once per year and promptly after a security incident;
- Designate a qualified individual to be responsible for the company’s information security program;
- Conduct regular reviews of the program, including a review at least once per year and in the event of a security incident;
- Ensure that the company’s security program incorporates:
- Annual employee training;
- Technical, administrative, and physical safeguards for data;
- Encryption of Social Security Numbers and financial account information;
- A process for ensuring secure installation and inventory of all devices;
- Service provider controls; and
- Regular assessments, penetration testing and audits of the program.
The FTC further proposes an annual review of all security procedures, as well as a review in the event of a security incident. Additionally, the company must undergo an assessment every two years for a 20 year period, along with reporting to the FTC with the FTC having authority to review and approve the assessor chosen by DealerBuilt.
How to Stay the Course
This enforcement action and proposed settlement spells out clear requirements for companies that manage personal information. While several of these requirements, including the written information security program requirement, are already mandated by states such as Massachusetts, the FTC’s inclusion of these safeguards will have a widespread impact across the country. Companies dealing with personal data should take note. Additionally, all companies engaging service providers should be cautious to enter agreements requiring proper privacy and security practices for any business managing data on the company’s behalf.