What the FTC said in their consent order against Dealerbuilt could have an impact on how dealers, other financial institutions, and their service providers do business.
This video was originally published in June 2019.
Problems storing Non-Public Personal Information
In June of 2019, the Federal Trade Commission issued a proposed consent order against LightYear Dealer Technologies d/b/a DealerBuilt. It stands as a cautionary tale for dealers and their service providers.
DealerBuilt is a company that was, well, built by dealers. It developed and sells dealership management system software and data processing services to automobile dealerships across the country. That DMS tracks, manages, and stores both customer and employee data, including an enormous amount of nonpublic personal information (or NPI).
All of that NPI was stored in clear text, without any access controls or authentication protections (such as passwords). DealerBuilt routinely transmitted the data between servers at the dealership and its backup servers in cleartext.
In the spring of 2015, in order to increase capacity, DealerBuilt personnel added a large storage device to its existing backup network. Unfortunately, that device was not configured securely and created an open connection port for approximately 18 months.
And what, exactly, is an “open connection port”? It’s a little like a screen door on a submarine: pretty much anything can get in – and out.
For those 18 months, DealerBuilt did not perform any vulnerability scanning or penetration testing that could have discovered the open connection port. Eventually, it was exploited, resulting in a major loss of customer and employee NPI.
The FTC concluded that DealerBuilt’s failure to provide reasonable security for consumer NPI caused substantial harm to consumers (and the dealerships that used the DealerBuilt DMS) in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.
Dealerbuilt falls within the Safeguards Rule's definition of a financial institution.
Here’s where things get interesting. Since May 23, 2003, “financial institutions” have been subject to the Safeguards Rule. Most dealerships are “financial institutions” because they originate “covered accounts" such as installment sale contracts and leases.
What’s interesting from DealerBuilt’s perspective is that it, too, falls within the Rule’s definition of a financial institution. Why? Because it processes data, and if “the data to be processed, stored or furnished are financial, banking or economic” you’re a “financial institution” within the meaning of the Safeguards Rule.
So why is that interesting? Because DealerBuilt also fits the definition of “service provider” under the Rule. Entities covered by the Rule are required by its terms to only do business with service providers that can, and are bound by contract to, follow the Safeguards Rule.
So if the FTC viewed DealerBuilt in its capacity as a service provider, the FTC would not have gone after DealerBuilt – but it could have gone after the 268 dealership locations that violated the Rule by using DealerBuilt without confirming it was complying with the Rule. Instead, the FTC viewed DealerBuilt in its role as a financial institution to which the Safeguards Rule applied in the first instance.
What can we learn from the Dealerbuilt Case?
Obviously, the FTC chose one action against a single respondent rather than 268 against individual dealerships. We call that “judicial economy.” But there are lessons to be learned from the case beyond just who got sued, and why.
Here’s the big takeaway: If DealerBuilt was a service provider, and failed to follow the Safeguards Rule; then every dealership that used DealerBuilt could be liable for failing to follow the Safeguards Rule by using a non-compliant service provider.
The Safeguards Rule requires dealerships to have contract language that requires their service providers to follow the Rule. In the wake of the DealerBuilt case, now would be a good time to check your contracts to make sure that language exists. Even better would be a stand-alone Data Security agreement between your dealership and its service providers. But however you satisfy this requirement, make sure you satisfy it!