Data security agreements with service providers including updated order terms

The domino principle. chain reaction. butterfly phenomenon.Use an analogy of your choice to describe when one software DeveloperLax security measures allegedly led to the leak of confidential customer information it maintained many kinds of Businesses using this software. If your business is a service provider – or if your company uses a third-party service provider to assist in managing your data – suggested Federal Trade Commission Settlement advantagePlease note. One noteworthy aspect of the case is that a proposed order, which includes new data security requirements, reflects the Commission’s current priorities for updating its data security orders.

Many third-party service providers sell industry-specific data management software to consumer-facing businesses. One example is DealerBuilt, a car dealer software developed by LightYear Dealer Technologies. DealerBuilt is a well-known name in the industry, with customers including some of the largest dealers in the United States. DealerBuilt software-authorized dealers collect and maintain large amounts of sensitive financial, payroll, accounting and other information about consumers and employees. Dealers using the software can have their data hosted by DealerBuilt or host it on their own servers. Businesses that choose the second option will regularly back up their databases to DealerBuilt’s network.

Before getting to the inevitable information that will lead to enforcement action, let’s pause for a moment and consider some of DealerBuilt’s practices during the timeframe relevant to the FTC’s proposed administrative complaint. According to the U.S. Federal Trade Commission:

  • DealerBuilt stores messages in clear text without any access control or authentication protection (such as passwords or tokens). Data transferred between dealers and DealerBuilt’s backup database is also in clear text.
  • DealerBuilt does not have a written information security policy.
  • DealerBuilt does not provide employees or contractors with reasonable data security training.
  • DealerBuilt does not assess the risk to sensitive information on its network through regular risk assessments or by performing vulnerability and penetration testing.
  • DealerBuilt does not use existing security measures to monitor (among other things) unauthorized attempts to transmit sensitive information.
  • DealerBuilt did not implement reasonable data access controls – for example, restricting inbound connections to known IP addresses or systems that required authentication to access backup databases.
  • DealerBuilt did not have reasonable processes in place to select, install and secure devices that could access personal information.

In the context of an alleged security failure, what happened next is not surprising. To increase available backup storage, a DealerBuilt employee purchased storage equipment and installed it on the company’s network in April 2015. According to the FTC, DealerBuilt management failed to take steps to ensure the device was securely configured. If someone checked, they would learn that the device created an open port that allowed the transfer of information.

Fast forward to late October 2016, a hacker “passed” through the open port and gained unauthorized access to DealerBuilt’s backup database, which included the future data of more than 12 million consumers stored by 130 customer dealers at the company. Encrypted personal information. Hackers attacked the system multiple times and downloaded the personal information of 69,283 consumers and the entire backup directory of 5 dealers. That’s not all, as for quite some time DealerBuilt’s insecure settings were indexed on public websites used by hackers to locate devices with insecure connections. What was ultimately stolen? In addition, consumers’ Social Security numbers, driver’s license numbers, dates or dates of birth, and dealership employees’ salary and financial information—these are all five-star favorites for identity thieves.

DealerBuilt learned of the breach on November 7, 2016, when a dealer called and demanded to know why customer data was publicly accessible online. According to the FTC, the company was not aware of the open ports on its storage devices until a reporter reported the security flaw to DealerBuilt.

Item 1 of the complaint should be familiar to FTC watchers.The FTC charged the company with failing to hire reasonable employees Safety The measure is an unfair practice and violates the Federal Trade Commission Act. Article 2 deserves special mention because DealerBuilt meets the Gramm-Leach-Bliley Act’s definition of a “financial institution.” This triggered compliance with the GLB Safeguards Rule, which the FTC charged DealerBuilt with violating, among other things, failing to develop, implement and maintain a written information security program; failing to recognize the security, confidentiality and integrity of customer information Reasonably foreseeable risks; Failure to implement basic safeguards and regularly test their effectiveness.

To resolve the case, the company has agreed to a proposed order that includes notable new provisions You need to check carefully. Like the orders announced in April in the Clixsense and iDressup cases, the proposed order in this case would require senior DealerBuilt officials to provide annual certifications of compliance to the FTC. The order also requires DealerBuilt to implement specific, enforceable safeguards to address the issues alleged in the complaint, such as requiring the company to conduct annual employee training, monitor its systems for data security incidents, implement access controls, and inventory its network. Equipment on the road. . Additionally, the proposed order makes significant changes to further increase the accountability of third-party evaluators responsible for reviewing DealerBuilt’s data security program. More importantly, the order gives the FTC greater access to documents and other information on which assessors base their conclusions.

Why update your billing terms? The directive is more specific, forcing senior management to pay attention to safety issues and in-depth “look under the hood” The required assessments by assessors, as well as the new FTC monitoring tools, are intended to ensure compliance and, if necessary, enforcement of the order.

The FTC will accept public comments once the proposed settlement is published in the Federal Register 30 days. What can other companies learn from this case?

Train and supervise your employees to be safety-focused. Designating someone to be responsible for your business’s security is just a start, but it doesn’t mean you can pretend the vulnerabilities don’t exist. Companies that handle consumers’ sensitive personal information have a responsibility to consider security from start to finish. Conduct employee training that is appropriate to the nature of your business and updated to reflect current risks and threats. What’s more, make sure there’s someone watching over supervisors whose decisions can have a big impact on the company’s safety.

Use caution when installing a device with network access. Just like sticking your finger into a socket, add certain devices Risk of severe shock to your system.Carefully consider safety hazards and ensure Any device is Install correctly.

GLB covers a wide range of areas. The term “financial institution” may conjure up images of passbooks, tellers, and pens chained to desks, but that’s not how the Gramm-Leach-Bliley rule defines the term. Consider whether your business could become a financial institution subject to the GLB safeguard rules.

If your company uses third-party software or vendors, build security into your contracts. Even if another company’s conduct involves a violation, your Customer information may be at risk and what they want to know you Did something to protect them. As the FTC publication Start with Security recommends, clarify your security expectations when entrusting materials to third-party service providers, monitor what they do on your behalf, and monitor sites that report known vulnerabilities.

Service providers are responsible for protecting the personal data they collect and store. Even if your operations are behind the scenes, you may still be liable for violations. If you handle sensitive consumer data on behalf of other companies, security should be front and center.

Source link

from Tech Empire Solutions https://techempiresolutions.com/data-security-agreements-with-service-providers-including-updated-order-terms/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.wordpress.com/2024/01/18/data-security-agreements-with-service-providers-including-updated-order-terms/
via https://techempiresolutions.com/



from Mary Ashley https://maryashle.wordpress.com/2024/01/18/data-security-agreements-with-service-providers-including-updated-order-terms/
via https://techempiresolutions.com/

Comments

Post a Comment

Popular posts from this blog

Comic creators backlash against indie bar remaking them

Freelance comics writers and artists blame publishers Scout Comics of don’t pay them To do their job, in some cases, without doing so (or communicating with them) for a year or more. Preparing for the Sandworm Scenario in the Dunes: Part Two everything starts from Jared Lujan co-founder of 2023 one-shot All the devils are here, claimed on social media that he was “screwed” by Scout and advised new creators to stay away from the company.in his Twitter In the post, he claimed that he had not been paid for his work in “over a year” and that when he tried to find out the truth, he was met with hostility. “The editorial director hinted that we would be blacklisted for complaining,” Lujan said.[and the] The executive came in acting like he was going to help, but now he’s ghosting us too. If that’s all true at the top, you know why everything else sucks. “ Following Luján’s post, other creators chimed in with their own Boy Scout experiences.Many, such as artist Christ...
Read more