FTC Safeguards Consent Order for the Auto Dealer Industry

 
The FTC recently entered into a 20-year consent decree with an auto dealer management system (“DMS”) provider having approximately 180 auto dealer clients.  The consent decree related to deficiencies in its Safeguards process and security system that permitted a hacker to access its unsecured backup database that contained the unencrypted nonpublic personal information (“NPI”) of approximately 12.5 million consumers, stored by 130 of its dealer customers.  The entire customer files and all NPI of five dealers were accessed through an open port on the DMS provider’s backup storage unit.

The complaint is the first FTC Safeguards action involving data breaches in the auto industry.  It effectively lays out the FTC’s requirements for meeting the Safeguards Rule with respect to auto dealers.  In this case, the auto dealers outsourced their data storage to the DMS provider and failed to take steps to monitor or investigate the DMS provider’s security until it was too late.  The breach was uncovered when one dealer found all of its customers’ NPI for sale on the Internet.

The Security Failures of the DMS Provider

Here are the shortfalls in the DMS provider’s Safeguards program.  These are shortfalls you should consider in your annual Safeguards review and your Safeguards policy updates.

• Failing to conduct periodic risk assessments or perform vulnerability and penetration testing of the network  -  Data security is a moving target as new threats emerge daily.  An IT Professional can run tests attempting to hack into your system as well as doing tests on individual workstations to see if any have been compromised.  Running mock phishing tests on employees and seeing how many click on the mock link is another good idea.  This should be done at least annually and any system deficiencies or compromised workstations immediately corrected and any attackers who have gotten in must be immediately quarantined and disabled.  ​
• Failure to use readily available security measures to monitor its systems and assets at discrete intervals to identify data security events and the effectiveness of security measures -  You need your IT officer to map the normal workings of your system and identify irregular patterns of activity that may indicate someone has hacked in.  Examples would be irregular patterns of access to NPI by or through system users or administrative privileges being exercised by unauthorized persons.  This requires that every access to NPI be tracked and evaluated in relation to normal business activity.  Irregular behavior should be quickly investigated and addressed with the user.  
• Failing to impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access NPI databases  -  You should establish a “white list” of permitted third party Internet sites for both entry to your system and access from your system with entry from and access to other sites, including all Web-based email, prohibited.  If a user wants to access a non-white listed site, they should have to obtain permission from your IT officer who will check the safety of the site.  Authentication controls such as passwords, tokens, or biometric features should also be in place to access NPI.  
• Failing to encrypt NPI at rest and in motion  -  The DMS provider’s back up system contained all of the customer NPI in plain text in an unsecured storage device without any access controls or authentication protections, such as passwords or tokens.  It was accessible to anyone through an open port.  None of it was encrypted.  All customer NPI should be encrypted both when being transmitted and in storage.  Failing to do so violates the Safeguards Rule.
• Failing to have a reasonable process to select, install, secure, and inventory devices with access to personal information  -  As noted, the DMS provider did not inventory any of its devices or install anti-virus or anti-malware security software.  When inventorying and securing devices, you need to include any personal devices that employees or vendors use to access your system.  Your IT officer should have the ability to cut off access from any device at any time.  

The FTC’s Conclusion and Response

The FTC concluded that the DMS provider’s ‘failures to provide reasonable security for the sensitive personal information about dealership consumers and employees, and business financial information, "has caused or is likely to cause substantial injury to consumers and small businesses in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.”
 
The DMS provider agreed to a 20-year consent decree to settle the FTC’s finding of  unfair data security practices and Safeguards Rule violation claims.  It includes requiring the DMS provider to establish a comprehensive information security program with the following minimum components:

• written documentation of the program;
• submission of the documentation to its board of directors annually;
• have an independent third party assess its security twice-yearly;
• designation of a responsible employee to maintain the program;
• annual risk assessments;
• annual training of employees
• implementation of adequate security controls;
• an annual assessment of the adequacy of those security controls;
• annual penetration testing of all devices capable of accessing the system;
• system vulnerability testing every four months;
• vendor and service provider management with contractual requirements;
• regular program maintenance and changes based on reviews;
• certify its compliance with the consent order to the FTC annually;
• report data security incidents within 10 days;
• create records for 20 years; and
• permit the FTC to request additional information or interview anyone affiliated with the DMS provider in order to ensure compliance. 

The FTC also required the DMS provider to adopt specific security controls, network and system monitoring, data access controls, encryption of data, and device inventories. Although these controls address the specific issues that led to the DMS provider’s security incident, dealers should take notice that these are the Safeguards protections that the FTC expects to be adopted in connection with a consumer auto finance business.

As a final penalty, the FTC forced the DMS provider to agree that “[n]o documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or similar claim.”

Summary and What It Means for You

The FTC has now spoken on what specific things it requires an auto industry Safeguards program to include.  Now would be a good time to look at your Safeguards program to determine which of these specific protections you are lacking and begin to implement them into your program.  The compliance burden of the FTC is only the beginning of problems this DMS provider will have to face as dealer and consumer lawsuits, actions by state regulators, and further investigations and audits will impose great costs and diversion of business time.  A study by Verizon found that three out of five small businesses that suffered a security breach went out of business within six months.  Doing your best to prevent being the next one is time and money well spent compared to the alternative.