Companies are constantly looking to the Federal Trade Commission to give them a clearer picture of what it considers to be “reasonable data security practices.” A recently proposed settlement may have done just that.
On June 12, the FTC issued a consent decree against LightYear Dealer Technologies, which does business as DealerBuilt, a software company that serves car dealerships. The company’s “poor data security practices” allowed a hacker to access the unencrypted personal information of 12.5 million people, according to the FTC, and the company agreed to settle the agency’s allegations that it violated the Gramm-Leach-Bliley and FTC acts. The proposed settlement lays out a laundry list of data security practices DealerBuilt would have to follow going forward.
The FTC has come under fire for issuing vague demands in its past orders in cybersecurity cases, which led to a setback at a federal appeals court last year. While the FTC appears to be getting specific about the data protection practices it wants to see from companies, the requirements in the DealerBuilt deal appear to be relatively basic.
The DealerBuilt agreement shows improvements in the FTC’s data security orders “that will further protect consumers and deter lax security practices,” said FTC Chairman Joe Simons in a press release. He added that, among other provisions, the settlement “requires company executives to take more responsibility for order compliance.”
In recent years, the FTC has been the federal government’s most active enforcer of data privacy and security standards. It has brought complaints against companies under Section 5 of the FTC Act, reasoning that inadequate data protection is an “unfair or deceptive” practice.
In June 2018, the 11th Circuit Court of Appeals vacated an order the FTC issued to medical diagnostics company LabMD. The order, which directed LabMD to implement a data security program that meets the agency’s standards, was ruled unenforceable for being too vague.
In the opinion, Judge Gerald Tjoflat wrote that the order “does not enjoin a specific act or practice” but “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”
The FTC’s newest proposed settlement, however, shows an agency adjusting after an appellate loss.
Dealerbuilt, a company that employs about 80 employees in Iowa and Texas, sells a software suite that’s used by nearly 320 auto dealership locations. The software tracks, manages and stores an array of data that’s central to auto dealership operation: sales, finance, inventory, payroll, parts and service among other information. This data includes employee and consumer information.
In 2015, DealerBuilt directed one of its employees to buy a storage device and connect it to the company’s backup network, according to the FTC’s complaint. But the company didn’t take steps to make sure the device was securely configured before the employee attached it. Once connected, the device created an open port that remained open to data transfers for about a year and a half. While DealerBuilt would have discovered the open port by running vulnerability scanning or penetration testing, the company only discovered it after the breach occurred, according to the complaint.
The FTC alleged numerous shortcomings in which DealerBuilt violated Section 5 of the FTC and the Safeguards Rule of the Gramm-Leach-Bliley Act. Among these was its failure to “develop, implement, or maintain a written organizational information security policy” or give employees reasonable guidance or training on safeguarding consumers’ personal information, according to the complaint.
The proposed settlement would direct DealerBuilt to mitigate those failures, plus audit various aspects of its information security program every 12 months, among other requirements. The provisions should contain no surprises and are “the bare minimum” for companies that are maintaining a serviceable cybersecurity program, according to Ed Hopkins, the managing attorney of HopkinsWay whose practice focuses on data privacy and security.
“Nothing here is unexpected,” Hopkins said. “Everyone who has been reading cybersecurity law for the past 5 or 10 years has been reading all of this.”
One example is the access control provision: For any databases storing personal information, DealerBuilt would need to restrict access to only approved IP addresses, require authentication and limit employee access to only the databases they need to do their jobs.
Hopkins said most of the provisions act as reminders to companies about what they’re already required to do, such as the Gramm-Leach Bliley Act’s requirement that a financial institution designate qualified employee to coordinate and oversee its information security program.
It’s ambiguous in the decree, however, whether the FTC means to apply the GLBA’s data protection requirements to all companies, not just financial institutions. A plaintiffs’ attorney might use a broad reading of that provision, Hopkins said.
Noting the comprehensive list of fixes the FTC is directing DealerBuilt to make, Hopkins called the DealerBuilt scenario one of the most egregious he’d ever seen.
“The fact that anyone could access this data in cleartext format would shock any data security professional,” Hopkins said. “You are just inviting a curious hacker to just go in and get it.”
Even if the FTC mostly limits its cybersecurity enforcement actions to the most egregious cases or the “low-hanging fruit,” all companies can use the DealerBuilt settlement as guidance for what the agency thinks they should be doing at a minimum to protect consumer information, Hopkins said.
— Doug Chartier