ARTICLE
11 September 2019

Auto Dealer Software Company Settles FTC Charges For Failing To Adequately Protect Consumer Data

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
The FTC approved a settlement with an auto dealer software company for failure to enact sufficient data protection measures.
United States Privacy

The FTC approved a settlement with an auto dealer software company for failure to enact sufficient data protection measures.

In a proceeding before the FTC, Lightyear Dealer Technologies, LLC ("Lightyear") was charged for collecting "large quantities" of personal information regarding dealership consumers and employees without securely connecting its storage device to the company's backup system. The FTC's Bureau of Consumer Protection found that the personal data was exposed for 18 months. A hacker allegedly accessed Lightyear's data storage system and acquired the personal information of 69,283 consumers. The FTC alleged that Lightyear did not have procedures in place to detect a data breach. According to the FTC, Lightyear became aware of the breach only when an auto dealer complained that its customers' personal data were publicly available on the Internet.

Pursuant to the settlement, Lightyear will be (i) prohibited from collecting or using consumers' personal information until a comprehensive information security program is implemented, and (ii) required to receive third-party assessments of its information security program every two years.

Commentary

Joel Mitnick

This action is by no means industry-specific. Any company failing to sufficiently protect consumer data is subject to enforcement actions. This action fits with recent other FTC proceedings involving consumer information, such as its $5 billion fine against Facebook for inadequate privacy protections and its $175 million fine against YouTube for inadequately protecting children's privacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More