The FTC alleges that the data DealerBuilt collected was stored and transmitted in clear text, in violation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires encryption of sensitive data. Data also was stored without access controls or authentication protections, also deemed necessary under the rule.
The FTC considers DealerBuilt’s activities an example of unfair practices.
DMS systems typically store private and public consumer data, including but not limited to names, addresses, birth dates, credit information and Social Security numbers. The software also contains similarly sensitive information about dealership employees, such as payroll data and bank account information, according to the statement.
The complaint also alleges that a DealerBuilt employee “connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.”
Additionally, the FTC alleges DealerBuilt never conducted vulnerability or penetration testing; drafting, implementing or maintaining a written security policy; or provided training for employees.
The matter will be resolved with a final consent agreement, which won’t be made public unless it is accepted by the FTC. As part of the proposed consent agreement, DealerBuilt is required to implement a security program in accordance with the Safeguards Rule, and is prohibited from handling consumer data until the program is in place.
The settlement also requires the company to get third-party assessments of its security program every two years.
The FTC does not have authority to seek monetary penalties for an initial violation, but if the company violates the settlement, the commission could seek civil penalties of up to $42,530 per violation.