FTC Settles Data Security Allegations with Software/Data Services Provider

Weiner Brodsky Kider PC
Contact

Weiner Brodsky Kider PC

A software and data services company that provided dealer management software to auto dealerships recently settled an FTC Complaint and entered into an Agreement Containing Consent Order regarding alleged inadequate data security practices that led to a data breach.

In settling the investigation of violations of the FTC Act and the Safeguards Rule of Graham Leach Bliley, the Company neither admitted nor denied the allegations.  The FTC Complaint alleged the company created data security vulnerabilities that led to a hack, exposing unencrypted personal information of 12.5 million consumers and the downloading of approximately 69,000 consumers’ personal information.

Among other inadequate data protection practices, according to the FTC, the company’s errors included the following: it failed to develop, implement, or maintain a written organizational information security policy; it did not provide training or guidance to employees or third-party contractors regarding data security and safeguarding consumers’ personal information; it failed to assess the risks to consumer information stored on its network by not performing risk assessment testing; and it failed to use readily available security measures to monitor systems to identify data security events.

A key vulnerability arose from the company’s storage of vast amounts of consumer information in clear text without controls or encryption of that information that would have inhibited outside efforts to access it.  The company also created a backup storage system connected to its network without adequate security configuration and an open connection port for a period of 18 months.  During that period of time, the company’s database was breached for ten days, and an unauthorized hacker freely accessed consumer information.

The Consent Order mandates the implementation of an extensive information security program, periodic assessments to be conducted by a qualified third-party, annual certifications regarding the implementation of the enumerated controls and requirements of the Order, and other compliance reporting measures.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Weiner Brodsky Kider PC | Attorney Advertising

Written by:

Weiner Brodsky Kider PC
Contact
more
less

Weiner Brodsky Kider PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.