FTC Cracking Down on Lax Data Security

On June 12, 2019, the Federal Trade Commission (FTC) settled with LightYear Dealer Technologies, LLC (LightYear) over a major data breach that occurred in October of 2016 and the subsequent allegations that LightYear’s data security was woefully insufficient.

LightYear, an auto dealer software provider operating under the name DealerBuilt, provides dealer-management system software and data processing and/or storage services to its dealership clients.  The company is one of the biggest operators in its field with some of the largest dealers in the country utilizing its software in their day-to-day operations.  The products licensed to these dealerships collect large quantities of personal and financial information, including consumers’ Social Security numbers and bank account information.

According to the FTC, LightYear’s problematic data security practices included:

  • Storing information in clear text without any encryption or authentication protection (e.g., passwords).
  • Failing to have a written information security policy in place.
  • Failing to provide any data security training to employees or contractors.
  • Failing to perform periodic risk assessments or vulnerability testing of its systems.
  • Failing to use readily available security measures to monitor unauthorized transferring of sensitive information.
  • Failing to put reasonable data access controls in place.
  • Failing to have any reasonable processes to secure devices with access to sensitive personal information.

In order to address these issues, the proposed settlement:

  • Prohibits LightYear from transferring, selling, sharing, collecting, maintaining or storing personal information until it implements and maintains a comprehensive information security program;
  • Requires LightYear to implement specific, enforceable safeguards that address the issues outlined in the complaint (listed above);
  • Requires a senior officer to provide the FTC with annual compliance certifications;
  • Requires LightYear to retain a third-party, independent party to assess its information security program every two years;
  • Gives the FTC authority to approve the third-party assessor.

This is an incredibly hands-on approach to enforcement and consistent with the direction the FTC has been moving in the realm of data security, as evidenced by Clixsense and iDressup settlements announced in April.