Companies are constantly looking to the Federal Trade Commission to give them a clearer picture of what it considers to be “reasonable data security practices.” A recently proposed settlement may have done just that.
On June 12, the FTC issued a consent decree against LightYear Dealer Technologies, which does business as DealerBuilt, a software company that serves car dealerships. The company’s “poor data security practices” allowed a hacker to access the unencrypted personal information of 12.5 million people, according to the FTC, and the company agreed to settle the agency’s allegations that it violated the Gramm-Leach-Bliley and FTC acts. The proposed settlement lays out a laundry list of data security practices DealerBuilt would have to follow going forward.
The FTC has come under fire for issuing vague demands in its past orders in cybersecurity cases, which led to a setback at a federal appeals court last year. While the FTC appears to be getting specific about the data protection practices it wants to see from companies, the requirements in the DealerBuilt deal appear to be relatively basic.