FTC Settlement with DealerBuilt Over Data Security Offers Lessons for All Dealerships

With vehicles retaining and sharing more data than ever before, the Federal Trade Commission has stepped up its policing of dealerships and third-party software companies when it comes to personal data security. Recently, Dealer software company LightYear Dealer Technologies, LLC, which also does business as DealerBuilt, was accused by the FTC of violating the provisions of the Standards for Safeguarding Customer Information Rule, which is part of the Gramm-Leach-Bliley Act. The company reached a settlement with the FTC, promising to revamp its security practices.

While the settlement has specific business directives for DealerBuilt, the FTC is taking the opportunity to ensure that all dealers and their third-party technology companies and partners understand the implications of data security in 2019, and their responsibilities for keeping customer information safe.

According to the FTC, the bare minimum companies that handle consumer data should be engaging in to safeguard that information includes:

Putting it in writing. Dealers and their software partners should implement a written information security program and ensure that the company’s senior management is provided with the written plan at least once per year and promptly after a security incident.

Putting someone in charge. Dealers and their software provider should designate a qualified individual to be responsible for the company’s information security program.

Review it regularly. It’s recommended that dealers conduct regular reviews of the program, including a review at least once per year and in the event of a security incident.

Build a checklist for the steps that need to be taken. Ensure that the company’s security program incorporates:

  • Annual employee training;
  • Technical, administrative, and physical safeguards for data;
  • Encryption of Social Security Numbers and financial account information;
  • A process for ensuring secure installation and inventory of all devices;
  • Service provider controls; and
  • Regular assessments, penetration testing and audits of the program.

Security experts note that it’s not enough for dealers to assume their software partners are keeping data safe. Any companies dealing with personal data – and this includes the dealership itself —  should take note and put a formal data security review process in place. Never presume that software or other service providers such as call centers have robust data privacy policies in place.

Agreements with third parties should be undertaken cautiously, as dealers cannot later claim that they simply didn’t know that personal information was being handled improperly. Always ask third parties for robust descriptions of their data security practices, and check references before signing any agreements.