Tech Company Settles Data Security Action With FTC

Advertising Law

An Iowa tech company reached a deal with the Federal Trade Commission (FTC) to settle allegations that the company’s poor data security practices resulted in a breach that exposed the personal information of millions of consumers.

LightYear Dealer Technologies develops and sells management software and data processing services for auto dealers around the country. The software collects large quantities of personal data about dealership customers, such as names, addresses, birth dates, and Social Security numbers, as well as information about dealership employees (including their bank account information).

Despite having possession of so much personal data, LightYear stored and transmitted it in clear text, without any access controls or authentication protections, the FTC said.

The data breach occurred when a LightYear employee connected a storage device to the company’s backup network that created an 18-month insecure connection, and a hacker gained access to the unencrypted data of roughly 12.5 million consumers, according to the FTC’s administrative complaint.

The company could have avoided the problem by implementing readily available and low-cost data security measures, the FTC said. Instead, LightYear failed to perform any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability. Nor did the company have a written information security policy or provide training for its employees.

To settle the charges of violations of the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule, LightYear agreed to a consent order that mandates several steps to better protect the data it collects. The company must establish a written comprehensive information security program, implement data access controls, designate a qualified employee with oversight responsibility and a senior corporate manager who will certify compliance with the consent order on an annual basis, and undergo third-party assessments of the program every two years.

To read the complaint and the consent order in In the Matter of LightYear Dealer Technologies, click here.

Why it matters: The settlement agreement demonstrates “additional and significant improvements” to the FTC’s data security orders, FTC Chair Joe Simons said in a statement about the case, reflecting a priority of the current commissioners. To further protect consumers and deter lax security practices, the consent order “imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third-party assessor’s accountability and providing the FTC with additional tools for oversight.”

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2020 Manatt, Phelps & Phillips, LLP.

All rights reserved