WASHINGTON—Following a public comment period, the Federal Trade Commission approved a final order settling charges against an Iowa-based auto dealer software provider that allegedly failed to take reasonable steps to secure consumers’ data, leading to a breach that exposed the personal information of millions of consumers.
In its complaint, the FTC alleged that LightYear Dealer Technologies, LLC, which does business as DealerBuilt, failed to implement readily available and low-cost measures to protect the personal information it obtained from its auto dealer clients. The FTC alleges these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016, when a hacker gained access to the unencrypted personal information—such as Social Security numbers and other sensitive data—of about 12.5 million consumers stored by 130 DealerBuilt customers.
Also Part of Settlement
As part of the settlement with the FTC, DealerBuilt is prohibited from sharing, collecting, or maintaining personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.