The Federal Trade Commission closed its settlement case with a dealer software provider involved in a data breach but not before accepting a public comment from the National Automobile Dealers Association, which took a broad view of the developments.
Late last week, the FTC approved a final order settling charges against DealerBuilt, an Iowa-based dealer software provider that allegedly failed to take reasonable steps to secure consumers’ data, leading to a breach that exposed the personal information of millions of consumers.
In its complaint, the FTC alleged that LightYear Dealer Technologies, which does business as DealerBuilt, failed to implement readily available and low-cost measures to protect the personal information it obtained from its dealer clients. The FTC alleged these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016, when a hacker gained access to the unencrypted personal information — such as Social Security numbers and other sensitive data — of about 12.5 million consumers stored by 130 DealerBuilt customers.
As part of the settlement with the FTC, DealerBuilt is prohibited from sharing, collecting, or maintaining personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects.
Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years.
Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year.
Finally, the order grants the FTC the authority to approve the assessor for each two-year assessment period.
So why did NADA get involved? In his letter to the FTC, NADA vice president of regulatory affairs Paul Metrey emphasized his comments did not stem from the merits of the proposed consent agreement between the FTC and DealerBuilt. Rather, Metry said his letter was “to urge the commission to refrain from using this or other individual enforcement actions to determine whether, and to what extent, it should amend its Standards for Safeguarding Customer Information (Safeguards Rule) which the commission is currently reviewing in a separate notice of proposed rulemaking (NPR).”
Metry continued by sharing his recommendation on how the FTC could carry out that review.
“The process for developing regulatory standards that affect entire industries should be developed in a transparent, informed, and data-driven manner by seeking public input from stakeholders on a variety of issues, including the costs, burdens, and benefits related to the standards — or amended standards — under consideration,” he said. “Developing or backing into regulatory standards by relying on enforcement actions that are based on discrete fact patterns and case-specific legal or policy arguments could exclude from the commission’s review key considerations to an issue.
“As the commission considers potential modifications to the Safeguards Rule, we urge it to base its final action on the record that is developed in response to the NPR and not on consent orders that it has entered into with respondents for alleged violations of the Safeguards Rule,” Metry went on to say.
After receiving that one comment, the FTC voted 5-0 to approve the administrative complaint and to accept the consent agreement with DealerBuilt as well as a response to NADA.