[BreachExchange] FTC data breach deal sets precedent

[Destry Winant]

https://www.autonews.com/dealers/ftc-data-breach-deal-sets-precedent

In October 2016, hackers gained access to the personal information of
more than 12.5 million dealership customers at 130 stores through a
vulnerability in the dealership management system provided by software
vendor DealerBuilt.

Over 10 days, sensitive customer information — Social Security,
driver's license and credit card numbers, and addresses and birth
dates — were siphoned out of DealerBuilt's directories associated with
five dealership clients. In all, 9.75 gigabytes of data containing the
personal information of 69,283 consumers were downloaded.

Dealership employee data was likely taken as well, including payroll
and bank account information.

Last week, DealerBuilt, of Mason City, Iowa, settled with the Federal
Trade Commission for allegedly failing to properly encrypt sensitive
data and conduct necessary vulnerability and penetration testing, the
agency said in a statement.

The settlement, according to legal experts, sets a precedent for
treating service providers as financial institutions under the FTC's
Safeguards Rule, which requires companies to take steps to protect
sensitive digital information. But it doesn't transfer risk from auto
dealers to those service providers in the event of a breach. Instead,
experts said, the settlement expands responsibility to multiple
parties.

It means going forward "the service provider has direct liability,"
said Meghan Musselman, a partner at Hudson Cook. "It seems to be sort
of a sea change."

The FTC hasn't gone after a DMS company before, Musselman said.

Detected by dealer

The breach was discovered by a dealer who found customer information
on the Internet. The Achilles' heel of the system was allegedly a
storage device installed on the company's network in April 2015. The
FTC said the device was connected "without ensuring that it was
securely configured, leaving an insecure connection for 18 months."

This is where the hackers gained access.

According to an FTC blog post, "It wasn't until a reporter told
DealerBuilt about the security vulnerability that the company became
aware of the open port on its storage device."

DealerBuilt CEO Michael Trasatti told Automotive News in a statement
last week that the company began working with its dealer partners
immediately upon learning of the breach.

"We take securing customer data seriously," Trasatti said. "We work to
continuously improve our security."

John Darmento, director of the Paul Gillrie Institute, a dealership
consulting firm in Tampa, Fla., said Trasatti called all dealership
clients to tell them what had happened, updated the safeguards for the
systems and bought the dealerships insurance to protect them from
liability.

"It was really impressive. If they had a problem with a client, they
didn't have to worry. They were covered," Darmento told Automotive
News. "That was exactly the way to handle it. Other DMS companies
would still be pointing fingers."

Breach consequences

Todd Crossley, dealer principal at Gary Crossley Ford in Kansas City,
Mo., said DealerBuilt ensured that none of his customers were
affected. His store still uses DealerBuilt for its DMS.

"None of us like our [dealership management systems] in this industry.
I moved to these guys because they were the lesser of all evils. But
they've done a good job," Crossley said. "After [the breach] happened,
I've never had a company hammer security so hard from my side or
theirs. I feel really secure about them now."

Crossley said having control over where his customer data goes, and
not having to pay to access that data, is how dealers can stay
competitive and compliant.

"This is a really simple issue. We own the data," he said. "The data
was given to us by the customers, and it's our job to secure the
data."

Another dealer, who declined to be named, told Automotive News that
DealerBuilt reached out after the breach and that the dealership has
not been impacted by the incident.

But, according to the FTC, some dealers incurred additional costs as a
result of the breach. In its June 12 complaint, the FTC said,
"Businesses spent many hours handling breach response communications,
identifying affected consumers, and responding to consumer complaints.
Some dealerships retained legal counsel to respond to the breach."

The total costs of the breach are incalculable, according to the FTC,
because fraud activity resulting from such a breach may not occur for
years. Injuries to small businesses and consumers could include
"fraud, identity theft, monetary loss, and time spent remedying the
problem," the commission said. It's not clear whether any such
injuries occurred in this case.

Settlement terms

DealerBuilt is required to implement measures in accordance with the
Safeguards Rule and is prohibited from handling consumer data in any
capacity until a security program is designed and implemented. The
settlement also requires the company to obtain third-party assessments
of its security program every two years.

The FTC does not have authority to seek monetary penalties for an
initial violation, but if the company violates the settlement, the
commission could seek civil penalties of up to $42,350 per violation.

The FTC alleges in its proposed consent order with DealerBuilt that
the data the company had collected was stored and transmitted in clear
text, in violation of the Gramm-Leach-Bliley Act, which requires
financial institutions to ensure the security and confidentiality of
sensitive customer information.

The FTC also alleged that DealerBuilt stored data without access
controls or authentication protections, which is necessary under the
rule.

"The settlement with DealerBuilt imposes more specific security
requirements and requires company executives to take more
responsibility for order compliance, while also strengthening the
third party assessor's accountability and providing the FTC with
additional tools for oversight," FTC Chairman Joe Simons said in the
statement last week.

In addition to the external storage device that was hacked, the FTC
outlines other areas where DealerBuilt allegedly failed to protect
consumer information.

Additionally, the FTC alleges DealerBuilt never conducted
vulnerability or penetration testing; drafted, implemented or
maintained a written security policy; or provided training for
employees.

This is not the first time DealerBuilt has had to atone for the 2016
breach. Last year, the company settled with the New Jersey attorney
general's office, agreeing to an $80,784 settlement. According to the
consent order filed May 21, 2018, the office said at least four New
Jersey dealerships were impacted by the breach, with the information
of at least 2,471 New Jersey residents accessed.

DealerBuilt sent letters to affected customers in January 2017, in
accordance with the New Jersey Identity Theft Prevention Act,
according to the consent order. It is unclear if consumers in other
states were notified of the breach.

Dealer liability

According to Musselman, the Hudson Cook lawyer, the settlement with
the FTC does not mean dealerships involved in the breach are
necessarily off the hook.

"Historically, where a service provider has a breach, the underlying
financial institution, meaning the dealer, would be liable," Musselman
said. "Theoretically, they could go after the dealers as well."

Musselman also she was surprised that dealerships were eligible for
data protection insurance after a breach.

"The thought about data breach is it's not if [it occurs], it's when,"
Musselman said. "I know some businesses go out and buy [insurance],
but I have not heard of that as a response to a breach."

Chris Apgar, a data security consultant who typically specializes in
the health care sector, said he has seen many instances in which
federal regulators go after vendors entrusted with storing sensitive
data. In this case, it would be DealerBuilt.

"But that doesn't mean you won't get sued," he said of the vendor's customers.

Indeed, he said he has seen many cases in which vendors and their
clients are sued for data breaches, although most end up being settled
out of court. Apgar emphasized that any company that stores data with
a vendor should practice due diligence and maintain a risk-management
plan.

"Someone might hire a vendor, do a cursory check [of data security],
then never ask again," he said. Dealers "need to check back on an
annual basis."

State laws

The issues around control and protection of customer data between DMS
providers and dealers have long been a topic of concern and the
subject of litigation in the industry.

Jared Allen, vice president of communications for the National
Automobile Dealers Association, said in an emailed statement that
dealers rely heavily on their technology vendors to adequately protect
the sensitive data that they obtain and store.

"We are aware of the issue with this vendor, and are keenly aware of
the tremendous data security challenges dealers face, which we have
been working in earnest for many years to address," Allen wrote.

More recently, dealers have tried to gain more control over the data
by turning to their statehouses. Laws in Arizona and Montana, which
allow dealers to share their DMS data with any third party of their
choice while also prohibiting DMS companies from charging fees, have
passed and were signed into law this spring.

Similar legislation has been introduced in at least two other states,
including Oregon and North Carolina.

Robert Glaser, president of the North Carolina Automobile Dealers
Association, said proposed legislation in that state would help shield
dealers from liability.

"It comes down to who's responsible in the event of a breach, and the
dealer's fundamentally responsible to protect that data," according to
the Gramm-Leach-Bliley Act, Glaser said. "Dealers fundamentally
believe that if that data lies in their system, they're fundamentally
responsible to protect it."

Dealerships involved in the DealerBuilt breach are a potential case in
point. Those clients could still be contacted by disgruntled customers
or regulators for failing to select a vendor that complied with the
Safeguards Rule, said Jim Ganther, president of Mosaic Compliance
Services.

He added, "My advice for the dealers: Lawyer up, be proactive and keep
your checkbooks warm."