The FTC approved a settlement with an auto dealer software company for failure to enact sufficient data protection measures.
In a proceeding before the FTC, Lightyear Dealer Technologies, LLC ("Lightyear") was charged for collecting "large quantities" of personal information regarding dealership consumers and employees without securely connecting its storage device to the company's backup system. The FTC's Bureau of Consumer Protection found that the personal data was exposed for 18 months. A hacker allegedly accessed Lightyear's data storage system and acquired the personal information of 69,283 consumers. The FTC alleged that Lightyear did not have procedures in place to detect a data breach. According to the FTC, Lightyear became aware of the breach only when an auto dealer complained that its customers' personal data were publicly available on the Internet.
Pursuant to the settlement, Lightyear will be (i) prohibited from collecting or using consumers' personal information until a comprehensive information security program is implemented, and (ii) required to receive third-party assessments of its information security program every two years.
Commentary
This action is by no means industry-specific. Any company failing to sufficiently protect consumer data is subject to enforcement actions. This action fits with recent other FTC proceedings involving consumer information, such as its $5 billion fine against Facebook for inadequate privacy protections and its $175 million fine against YouTube for inadequately protecting children's privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
