The Federal Trade Commission (FTC) has entered into a settlement with a provider of management software for car dealerships that held personal information, including SSN’s and payroll information, in cleartext, holding its practices to be in violation of the FTC Act’s prohibition against unfair practices and GLBA’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.
The settlement requires the provider to implement a written information security plan, procure third party assessment and engage in periodic reporting to the FTC.
- Never store or transmit sensitive personal information in cleartext, period.
- Implement appropriate access controls and authentication procedures.
- Ensure that a connection of a storage device to backup is securely configured.
- Perform periodic vulnerability scanning, penetration testing or other measures designed to detect vulnerabilities.
- Develop implement and maintaining a written information security policy and training for employees.