FTC Paves New Road
The message this administration has been delivering over the last two-three years is less regulation; less controls. So what, exactly, is the FTC doing? Are they going off the reservation or is there a plan here? My guess is that there is a plan.
Last week the FTC whacked DealerBuilt, a service provider that provides dealership management software service to car dealerships.
Apparently, back in late 2016, Dealerbuilt had a breach that exposed 12 million customer’s data from over 130 dealerships. The data included all of the stuff that you would expect for car loans.
The crooks downloaded about 10 gigabytes of that data representing about 70,000 customers before it was discovered. The problem was a really crappy cybersecurity program including transmitting data in the clear, storing data unencrypted, no penetration testing, etc.
What is new here is that the FTC is holding the vendor and not the dealers responsible. They are saying that the vendor has direct liability to the FTC, even though it is the car dealership that is considered a financial institution because it makes car loans.
Dealerbuilt tried to make it right with their customers after the breach, but the damage was already done.
DealerBuilt was, according to the terms of the deal, prohibited from handling consumer data at all until they had an approved cybersecurity program in place (meaning zero revenue until then) and they have to have a third party risk assessment every two years. While it does not say so, these FTC programs typically last for 20 years.
If they screw up again, the FTC could fine them $42,350 (who makes up these numbers) per violation. $42,350 x 70,000 customers = $2.96 billion. Probably enough incentive.
Key point is that if you are a vendor to someone, and most people are, then the FTC is saying that they reserve the right to come after you, as well as your customer.
The consent decree also holds company executives responsible for the new cybersecurity program and requires that the company conducts penetration tests.
Interestingly, it seems like the FTC is still going after folks, as is Health and Human Services (HIPAA), while other agencies, such as the EPA are being told to stand down. Source: Autonews.