The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in overseeing implementation. The terms include specific instructions for mandatory third-party assessments of the company’s data privacy program using an assessor approved by the FTC, yearly reporting requirements, and imposition of personal responsibility on senior management for compliance with a comprehensive data privacy program.

The FTC’s complaint alleges that DealerBuilt, which licenses its LightYear software management system to car dealerships across the United States, collected and stored a massive amount of personal data but failed to provide reasonable data privacy protections for it. The company’s customers include some of the country’s largest Ford and Honda dealerships. DealerBuilt customers have the option either to license LightYear and use their own server or use DealerBuilt’s backup service, which stores customer data on DealerBuilt’s servers. The FTC alleged that personal information of millions of consumers was left exposed when a hacker gained access to unencrypted data stored in DealerBuilt’s customer backup database in October 2016. The hacker downloaded the personal information of some 69,000 consumers, including Social Security numbers, driver’s license numbers, and payroll details.

Among the additional claims alleged by the FTC are that DealerBuilt failed to:

  • Implement or maintain a written data security policy and reasonable data security guidance or training for employees or third-party contractors;
  • Assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;
  • Use readily available security measures to monitor its systems and assets;
  • Impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access backup databases;
  • Encrypt consumers’ personal information and put in place a reasonable process to select, install, secure, and inventory devices with access to personal information.

Under the terms of the proposed settlement, DealerBuilt is banned from “transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program” that is subject to third-party assessments every two years. Unusually, the order also gives the Commission authority to approve the assessor every two years, and it requires that the assessor present detailed evidence that supports its conclusions via “independent sampling, employee interviews, and document review.” Senior management is obliged to certify that DealerBuilt has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and that certification “is based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.”

The DealerBuilt settlement reflects “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” according to Chairman Joe Simons. By imposing responsibility for compliance on senior executives for the second time in the last month, the DealerBuilt order signals an increased willingness on the part of Commissioners to impose deterrents as well as detailed mandates on companies that do not provide a reasonable level of data security for their customers’ personal information, and the growing role that management accountability is playing in privacy and security cases.