U.S. Federal Trade Commission building in Washington, D.C. Photo: Diego M. Radzinschi/ALM U.S. Federal Trade Commission building in Washington, D.C. Photo: Diego M. Radzinschi/ALM

Responding to critics and at least one federal appeals court that have called its orders too weak and vague, the Federal Trade Commission has put more teeth into its latest proposed consent order in a data breach case.

The order released Wednesday contains several new provisions that general counsel will want to consider in any risk assessment, including one requiring executives to take more responsibility for compliance.

“The requirements are much more detailed and specific about what the company has to do to achieve compliance and maintain adequate security practices,” explained David Shonka, a former acting general counsel at the commission and now a partner at the Redgrave law firm in Washington, D.C. “It really does answer a lot of the criticisms that commission orders have been facing.”

The changes comes after the U.S. Court of Appeals for the Eleventh Circuit last summer tossed out the commission's cease and desist order against LabMD Inc., saying it was unenforceable because “it mandate[d] a complete overhaul of LabMD's data-security program and [said] precious little about how this is to be accomplished.”

Wednesday's order involves DealerBuilt, an Iowa-based company that sells software and data services to 130 of the country's largest auto dealerships. The software handles billions of dollars' worth of transactions, and the breach exposed the consumer data of 12.5 million customers.

In a complaint, the FTC alleged that DealerBuilt failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients. DealerBuilt did not immediately return messages seeking comment Thursday.

The commission alleged that DealerBuilt didn't encrypt information, have a written data security policy, provide data security training to employees or contractors, do periodic risk assessments, monitor attempts to breach information, or have reasonable data access controls in place.

An employee allegedly bought a backup storage device and plugged it in without taking steps to secure it. A hacker was able to breach it multiple times and access the customers' Social Security numbers, driver's license numbers and dates of birth, along with payroll information about dealership employees.

The commission alleged that DealerBuilt violated the FTC Act's prohibition against unfair practices and the Gramm-Leach-Bliley Act's Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.

Of special note to general counsel and chief compliance officers, the consent order requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review.

Significantly it also requires a senior DealerBuilt manager to provide the commission with annual certifications of compliance.

The agreement requires DealerBuilt to conduct yearly employee training, monitor its systems for security incidents, implement access controls, and inventory devices on its network.

Earlier orders from the commission lacked such detailed requirements. “Earlier the commission's approach was sort of 'go forth and sin no more' while developing a suitable program for your organization,” Shonka said. The agency was reluctant to “take away the discretion and decision-making of businesspeople,” he added.

“My reading is the commission has done what its critics have been saying for a long time it needs to do: Be precise and make the boundaries clear,” Shonka said.

The deal will be subject to public comment for 30 days after publication in the Federal Register, after which the commission will decide whether to make the proposed consent order final.