Page 29 - SMRH Eye on Privacy 2019 Year in Review Brochure
P. 29

FTC and Car Dealership Software Company Reach Security Settlement
Posted on June 24, 2019
The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients include many car dealers across the country, and allows those dealerships to house consumer information that is collected during the car purchase process. This information includes sensitive personal (Social Security numbers) and financial (payroll information and credit card numbers) information. According to the FTC complaint, a company employee without “guidance or . . . steps to ensure the . . . device was securely configured” attached a new storage device to the company servers. This device created an open connection port during an 18 month period. During that time, no vulnerability scanning, penetration testing, or other diagnostics were conducted, according to the FTC. Instead, the vulnerability went undetected until a hacker exploited it and accessed the backup server for DealerBuilt. As a result, the hacker accessed millions of consumers’ information, including downloading five clients’ information. This information included almost 70,000 Social Security numbers, drivers’ license numbers, and payroll details. The company was, the FTC said, unaware of the breach until it was contacted by an impacted client.
According to the FTC, the company had engaged in several practices that constituted a failure to provide reasonable security, namely (1) not having a written information security policy, (2) not having reasonable training or guidance for employees, (3) not assessing risks to personal information on its networks, (4) not using “readily available” security measures or verifying the effectiveness of protection measures, (5) not having reasonable security controls, (6) storing information in clear text, and (7) not having a reasonable way to select and install devices that will access personal information. The FTC found these failures to be both a violation of Gramm-Leach-Bliley Act Safeguards Rule as well as Section 5 of the FTC Act. To settle the matter, LightYear has agreed to implement an Information Security Program and take steps not to repeat the alleged procedural failings that the FTC believed led to the breach. The company has also agreed to have the program assessed regularly by a “qualified, objective, independent third-party,” who will provide documentation about the assessment to the FTC. The company has also agreed to have a senior official certify, annually, that the company is complying with the settlement.
PUTTING IT INTO PRACTICE: This recent settlement outlines for companies the FTC’s continued expectations of companies to secure information and systems. The settlement terms provide a good overview of the types of things the FTC expects companies to do, including reasonable training, procedures for implementing new systems, and methods for testing security.
SEC Issues Alert On Outsourcing and Data Security
Posted on June 11, 2019
The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and of itself, sufficient for the companies to demonstrate compliance with Regulations S-P and S-ID. These regulations require broker-dealers and investment advisers to protect customer records and detect and prevent identity theft. Of concern for the SEC is firms who might have inadequately configured the security settings on their network storage systems–whether on site or cloud-based. Also of concern, and mentioned in the report, is failing to exercise enough oversight over the vendors’ security settings. The SEC warns firms to have policies and procedures sufficient to (a) identify all the different types of customer data and (b) implement appropriate controls to protect each class of data. It also recommends that companies have vendor management policies that provide for regular implementation and monitoring of software patches and hardware updates.
PUTTING IT INTO PRACTICE: This alert from the SEC is a reminder that companies cannot rely only on third parties’ representations about security. Companies will also want to exercise proactive and ongoing assessments of both their own and their vendors’ network storage systems’ security settings.
  Eye on Privacy 2019 Year in Review 28

























































































   27   28   29   30   31