A software and data services company that provided dealer management software to auto dealerships recently settled an FTC Complaint and entered into an Agreement Containing Consent Order regarding alleged inadequate data security practices that led to a data breach.
In settling the investigation of violations of the FTC Act and the Safeguards Rule of Graham Leach Bliley, the Company neither admitted nor denied the allegations. The FTC Complaint alleged the company created data security vulnerabilities that led to a hack, exposing unencrypted personal information of 12.5 million consumers and the downloading of approximately 69,000 consumers’ personal information.
Among other inadequate data protection practices, according to the FTC, the company’s errors included the following: it failed to develop, implement, or maintain a written organizational information security policy; it did not provide training or guidance to employees or third-party contractors regarding data security and safeguarding consumers’ personal information; it failed to assess the risks to consumer information stored on its network by not performing risk assessment testing; and it failed to use readily available security measures to monitor systems to identify data security events.
A key vulnerability arose from the company’s storage of vast amounts of consumer information in clear text without controls or encryption of that information that would have inhibited outside efforts to access it. The company also created a backup storage system connected to its network without adequate security configuration and an open connection port for a period of 18 months. During that period of time, the company’s database was breached for ten days, and an unauthorized hacker freely accessed consumer information.
The Consent Order mandates the implementation of an extensive information security program, periodic assessments to be conducted by a qualified third-party, annual certifications regarding the implementation of the enumerated controls and requirements of the Order, and other compliance reporting measures.