Recent Settlement Agreements Indicate the FTC is All-In on Data Security
In the first half of 2019, the Federal Trade Commission (“FTC”) entered into settlement agreements with several entities whose data security programs were inadequate or non-existent. Unlike previous settlements, these recent settlement agreements impose specific security requirements rather than “reasonable security safeguards.” The FTC’s most recent settlement agreement with LightYear Dealer Technologies LLC (“LightYear”) is representative of these new settlement agreements.
LightYear served as a third-party service provider of software (DealerBuilt) and data hosting services to multiple large auto dealers across the country. The DealerBuilt software collected large amounts of sensitive financial, accounting, payroll, and other information from dealers’ employees and customers, including names, addresses, birth dates, employee bank account numbers, and social security numbers. Dealers had the option of storing the DealerBuilt databases on their own servers or on LightYear’s network. In many cases, the FTC found that dealers opting to store their data locally still regularly backed up their DealerBuilt databases to LightYear’s network. The data breach occurred over 10 days in 2016 and was caused by a hacker exploiting an unsecure storage device that a LightYear employee connected to LightYear’s backup network in an effort to daisy-chain more storage. The hacker gained access to unencrypted personal information of approximately 12.5 million consumers. LightYear was not aware of the breach until one of its dealer customers asked LightYear why the dealer’s customers’ information was publically available on the internet.
The FTC alleged LightYear violated the Gramm-Leach-Bliley Act’s Safeguards Rule and the FTC Act’s prohibition on unfair practices. Through its investigation, the FTC determined LightYear’s data security program was inadequate, finding, LightYear did not:
- Apply encryption to hosted and backup DealerBuilt data. Information was stored as plain text without any access controls or even simple authentication protections like passwords or tokens.
- Implement or maintain written information security policies and procedures.
- Provide data security training for its employees or contractors.
- Conduct periodic risk assessments, vulnerability scanning, or penetration testing to assess the risk to the sensitive data on its network.
- Deploy readily available security safeguards to monitor its network for unauthorized attempts to access or transfer data.
- Implement reasonable security controls to limit data access (e.g., only allowing known IP addresses to connect to its internal network).
- Implement reasonable security processes to secure, control, or monitor devices with access to personal information.
The FTC imposed multiple, significant and specific security requirements on LightYear in the settlement agreement. Some of the more notable requirements are as follows:
- Designate a qualified employee or employees to coordinate and be responsible for LightYear’s comprehensive information security program.
- Conduct security risk assessments at least once every 12 months.
- Implement data access controls for all databases containing Personal Information by, at a minimum, (a) restricting inbound connections to approved IP addresses, (b) requiring authentication to access databases, and (c) implementing role based access controls.
- Conduct vulnerability testing of LightYear’s network once every four months and penetration testing once every 12 months.
- Obtain an initial and biennial information security assessments by a third party and provide copies of the results to the FTC upon request.
While seemingly overbearing and undoubtedly expensive for LightYear, the specificity of the security requirements provides valuable guidance to entities, especially those in industries where data security is an evolving concept as to what is expected of them. The FTC has doubled-down on data security and in doing so has bolstered its case to be the federal agency in charge of administering any future federal data privacy law.