An auto industry technology company has settled Federal Trade Commission claims related to a data breach that the agency said exposed the personal information of more than 12 million people.
LightYear Dealer Technologies LLC, which does business as DealerBuilt, agreed to have an FTC-approved outside company assess its cybersecurity program every two years and have its executives take responsibility for data security compliance, under the proposed settlement the commission released June 12.
The settlement reflects the agency’s new direction in data security enforcement actions. The FTC said in April that it’s been rethinking the provisions in its orders, including improving third-party assessments of data security and requiring senior officers to certify compliance every year.
“The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight,” FTC Chairman Joe Simons said in a statement announcing the order.
DealerBuilt didn’t immediately respond to a request for comment.
DealerBuilt’s inadequate data security practices led to a 2016 breach of its backup database that exposed 12.5 million individuals’ personal information, the FTC said. A hacker gained access to the unencrypted information and downloaded the data of more than 69,000 people, the agency said.
The Iowa-based company, which sells dealer-management system software and other services to auto dealers, allegedly violated the prohibition against unfair practices in the FTC Act, as well as the Gramm-Leach-Bliley Act’s Safeguards Rule that requires financial institutions to have a comprehensive information security program.
The company cannot transfer, sell, collect, or store personal information unless it creates an information security program to protect that data, under the terms of the proposed settlement. The company also must establish additional safeguards to address the FTC allegations.
The third-party assessor that reviews DealerBuilt’s data security program must “specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review,” the FTC said.
A “senior corporate manager” that oversees DealerBuilt’s data security program also must certify annually that the company complies with the order, under the proposed settlement.
To contact the reporter on this story: Sara Merken in Washington at smerken@bloomberglaw.com
To contact the editors responsible for this story: Rebecca Baker at rbaker@bloomberglaw.com; Keith Perine at kperine@bloomberglaw.com
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.