Auto Dealer Software Company Settles FTC Charges for Failing to Adequately Protect Consumer Data

The FTC approved a settlement with an auto dealer software company for failure to enact sufficient data protection measures.

In a proceeding before the FTC, Lightyear Dealer Technologies, LLC ("Lightyear") was charged for collecting "large quantities" of personal information regarding dealership consumers and employees without securely connecting its storage device to the company's backup system. The FTC's Bureau of Consumer Protection found that the personal data was exposed for 18 months. A hacker allegedly accessed Lightyear's data storage system and acquired the personal information of 69,283 consumers. The FTC alleged that Lightyear did not have procedures in place to detect a data breach. According to the FTC, Lightyear became aware of the breach only when an auto dealer complained that its customers' personal data were publicly available on the Internet.

Pursuant to the settlement, Lightyear will be (i) prohibited from collecting or using consumers' personal information until a comprehensive information security program is implemented, and (ii) required to receive third-party assessments of its information security program every two years.

Commentary

This action is by no means industry-specific. Any company failing to sufficiently protect consumer data is subject to enforcement actions. This action fits with recent other FTC proceedings involving consumer information, such as its billion fine against Facebook for inadequate privacy protections and its 75 million fine against YouTube for inadequately protecting children’s privacy.

Email me about this

Premium Content

Available only to Premium subscribers.

 

Tags