The FTC called it the “butterfly phenomenon”. But, this case is noteworthy not only because of the absence of a ‘culture of privacy’ that lead to the regulator’s enforcement action, but because the FTC imposed a culture of privacy as part of resolving the case.
How did it start? A DealerBuilt employee bought a storage device and installed it on the company’s network in April 2015, but didn’t take steps to ensure the device was set up securely. The device created an open connection port that allowed transfers of information. In October 2016, a hacker accessed the open port to gain unauthorized access to DealerBuilt’s backup database, including the unencrypted personal information of more than 12 million consumers that 130 of its client dealerships had stored with the company. The hacker attacked the system multiples times, downloading the personal information of 69,283 consumers and the entire backup directories of five dealerships. The FTC also alleged that DealerBuilt’s insecure settings were indexed on a public website that hackers usde to locate insecure connected devices. DealerBuilt learned about the breach on November 7, 2016, when a dealership called, demanding to know why customer data was publicly accessible on the internet. But, according to the FTC, it wasn’t until a reporter told DealerBuilt about the security vulnerability that the company became aware of the open port on its storage device.
DealerBuilt agreed to a Consent Agreement requiring a senior DealerBuilt officer to provide the FTC with annual certifications of compliance and requires DealerBuilt to implement specific, enforceable safeguards that address the issues alleged in the complaint. DealerBuilt must conduct yearly employee training, monitor its systems for data security incidents, implement access controls, and inventory devices on its network.
This settlement is a reminder on the front-end to implement proper policies, procedures, and training designed to protect consumer data and to prevent a data breach, lest a data breach on the back-end result in draconian regulatory enforcement.