FTC data breach deal sets precedent

In October 2016, hackers gained access to the personal information of more than 12.5 million dealership customers at 130 stores through a vulnerability in the dealership management system provided by software vendor DealerBuilt.

Over 10 days, sensitive customer information — Social Security, driver's license and credit card numbers, and addresses and birth dates — were siphoned out of DealerBuilt's directories associated with five dealership clients. In all, 9.75 gigabytes of data containing the personal information of 69,283 consumers were downloaded.

Dealership employee data was likely taken as well, including payroll and bank account information.

Last week, DealerBuilt, of Mason City, Iowa, settled with the Federal Trade Commission for allegedly failing to properly encrypt sensitive data and conduct necessary vulnerability and penetration testing, the agency said in a statement.

The settlement, according to legal experts, sets a precedent for treating service providers as financial institutions under the FTC's Safeguards Rule, which requires companies to take steps to protect sensitive digital information. But it doesn't transfer risk from auto dealers to those service providers in the event of a breach. Instead, experts said, the settlement expands responsibility to multiple parties.

It means going forward "the service provider has direct liability," said Meghan Musselman, a partner at Hudson Cook. "It seems to be sort of a sea change."

The FTC hasn't gone after a DMS company before, Musselman said.

The breach was discovered by a dealer who found customer information on the Internet. The Achilles' heel of the system was allegedly a storage device installed on the company's network in April 2015. The FTC said the device was connected "without ensuring that it was securely configured, leaving an insecure connection for 18 months."

This is where the hackers gained access.

According to an FTC blog post, "It wasn't until a reporter told DealerBuilt about the security vulnerability that the company became aware of the open port on its storage device."

DealerBuilt CEO Michael Trasatti told Automotive News in a statement last week that the company began working with its dealer partners immediately upon learning of the breach.

"We take securing customer data seriously," Trasatti said. "We work to continuously improve our security."

John Darmento, director of the Paul Gillrie Institute, a dealership consulting firm in Tampa, Fla., said Trasatti called all dealership clients to tell them what had happened, updated the safeguards for the systems and bought the dealerships insurance to protect them from liability.

"It was really impressive. If they had a problem with a client, they didn't have to worry. They were covered," Darmento told Automotive News. "That was exactly the way to handle it. Other DMS companies would still be pointing fingers."

Todd Crossley, dealer principal at Gary Crossley Ford in Kansas City, Mo., said DealerBuilt ensured that none of his customers were affected. His store still uses DealerBuilt for its DMS.

"None of us like our [dealership management systems] in this industry. I moved to these guys because they were the lesser of all evils. But they've done a good job," Crossley said. "After [the breach] happened, I've never had a company hammer security so hard from my side or theirs. I feel really secure about them now."

Crossley said having control over where his customer data goes, and not having to pay to access that data, is how dealers can stay competitive and compliant.

"This is a really simple issue. We own the data," he said. "The data was given to us by the customers, and it's our job to secure the data."

Another dealer, who declined to be named, told Automotive News that DealerBuilt reached out after the breach and that the dealership has not been impacted by the incident.

But, according to the FTC, some dealers incurred additional costs as a result of the breach. In its June 12 complaint, the FTC said, "Businesses spent many hours handling breach response communications, identifying affected consumers, and responding to consumer complaints. Some dealerships retained legal counsel to respond to the breach."

The total costs of the breach are incalculable, according to the FTC, because fraud activity resulting from such a breach may not occur for years. Injuries to small businesses and consumers could include "fraud, identity theft, monetary loss, and time spent remedying the problem," the commission said. It's not clear whether any such injuries occurred in this case.

DealerBuilt is required to implement measures in accordance with the Safeguards Rule and is prohibited from handling consumer data in any capacity until a security program is designed and implemented. The settlement also requires the company to obtain third-party assessments of its security program every two years.

The FTC does not have authority to seek monetary penalties for an initial violation, but if the company violates the settlement, the commission could seek civil penalties of up to $42,350 per violation.

The FTC alleges in its proposed consent order with DealerBuilt that the data the company had collected was stored and transmitted in clear text, in violation of the Gramm-Leach-Bliley Act, which requires financial institutions to ensure the security and confidentiality of sensitive customer information.

The FTC also alleged that DealerBuilt stored data without access controls or authentication protections, which is necessary under the rule.

"The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor's accountability and providing the FTC with additional tools for oversight," FTC Chairman Joe Simons said in the statement last week.

In addition to the external storage device that was hacked, the FTC outlines other areas where DealerBuilt allegedly failed to protect consumer information.

Additionally, the FTC alleges DealerBuilt never conducted vulnerability or penetration testing; drafted, implemented or maintained a written security policy; or provided training for employees.

This is not the first time DealerBuilt has had to atone for the 2016 breach. Last year, the company settled with the New Jersey attorney general's office, agreeing to an $80,784 settlement. According to the consent order filed May 21, 2018, the office said at least four New Jersey dealerships were impacted by the breach, with the information of at least 2,471 New Jersey residents accessed.

DealerBuilt sent letters to affected customers in January 2017, in accordance with the New Jersey Identity Theft Prevention Act, according to the consent order. It is unclear if consumers in other states were notified of the breach.

According to Musselman, the Hudson Cook lawyer, the settlement with the FTC does not mean dealerships involved in the breach are necessarily off the hook.

"Historically, where a service provider has a breach, the underlying financial institution, meaning the dealer, would be liable," Musselman said. "Theoretically, they could go after the dealers as well."

Musselman also she was surprised that dealerships were eligible for data protection insurance after a breach.

"The thought about data breach is it's not if [it occurs], it's when," Musselman said. "I know some businesses go out and buy [insurance], but I have not heard of that as a response to a breach."

Chris Apgar, a data security consultant who typically specializes in the health care sector, said he has seen many instances in which federal regulators go after vendors entrusted with storing sensitive data. In this case, it would be DealerBuilt.

"But that doesn't mean you won't get sued," he said of the vendor's customers.

Indeed, he said he has seen many cases in which vendors and their clients are sued for data breaches, although most end up being settled out of court. Apgar emphasized that any company that stores data with a vendor should practice due diligence and maintain a risk-management plan.

"Someone might hire a vendor, do a cursory check [of data security], then never ask again," he said. Dealers "need to check back on an annual basis."

The issues around control and protection of customer data between DMS providers and dealers have long been a topic of concern and the subject of litigation in the industry.

Jared Allen, vice president of communications for the National Automobile Dealers Association, said in an emailed statement that dealers rely heavily on their technology vendors to adequately protect the sensitive data that they obtain and store.

"We are aware of the issue with this vendor, and are keenly aware of the tremendous data security challenges dealers face, which we have been working in earnest for many years to address," Allen wrote.

More recently, dealers have tried to gain more control over the data by turning to their statehouses. Laws in Arizona and Montana, which allow dealers to share their DMS data with any third party of their choice while also prohibiting DMS companies from charging fees, have passed and were signed into law this spring.

Similar legislation has been introduced in at least two other states, including Oregon and North Carolina.

Robert Glaser, president of the North Carolina Automobile Dealers Association, said proposed legislation in that state would help shield dealers from liability.

"It comes down to who's responsible in the event of a breach, and the dealer's fundamentally responsible to protect that data," according to the Gramm-Leach-Bliley Act, Glaser said. "Dealers fundamentally believe that if that data lies in their system, they're fundamentally responsible to protect it."

Dealerships involved in the DealerBuilt breach are a potential case in point. Those clients could still be contacted by disgruntled customers or regulators for failing to select a vendor that complied with the Safeguards Rule, said Jim Ganther, president of Mosaic Compliance Services.

He added, "My advice for the dealers: Lawyer up, be proactive and keep your checkbooks warm."

David Muller contributed to this report.