Privacy & Information Security Law Blog

On September 7, 2018, the New Jersey Attorney General announced a settlement with data management software developer Lightyear Dealer Technologies, LLC, doing business as DealerBuilt, resolving an investigation by the state Division of Consumer Affairs into a data breach that exposed the personal information of car dealership customers in New Jersey and across the country. The breach occurred in 2016, when a researcher exposed a gap in the company’s security and gained access to unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.

To resolve the investigation, DealerBuilt agreed to undertake a number of changes to its security practices to help prevent similar breaches from occurring in the future, including:

• the creation of an information security program to be implemented and maintained by a chief security officer;
• the maintenance and implementation of encryption protocols for personal information stored on laptops or other portable devices or transmitted wirelessly;
• the maintenance and implementation of policies that clearly define which users have authorization to access its computer network;
• the maintenance of enforcement mechanisms to approve or disapprove access requests based on those policies; and
• the maintenance of data security assessment tools, including vulnerability scans.

In addition to the above, DealerBuilt agreed to an $80,784 settlement amount, comprised of $49,420 in civil penalties and $31,364 in reimbursement of the Division's attorneys' fees, investigative costs and expert fees.

Read the consent order resolving the investigation.