New Jersey Attorney General announces settlement with data management software company over auto dealer data breach claims
On September 7, the New Jersey Attorney General announced a settlement with an Iowa-based data management software company related to an alleged data breach that exposed the personally identifiable information (PII) of auto dealership customers across the country. According to the consent order, the company—which develops and operates a dealer management system that stores and secures customer and employee data accessed by 130 auto dealerships nationwide—experienced a breach of security in 2016 that allowed unauthorized public access to unencrypted files containing PII. Following the breach, the state commenced an investigation into whether the company violated either the state’s Consumer Fraud Act (CFA) or its Identity Theft Prevention Act (ITPA). Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay a $49,420 civil money penalty, of which $20,000 will be suspended and automatically vacated after two years provided the company complies with the consent order and does not engage in any future violations of the CFA and/or the ITPA. Furthermore, the company will pay $31,365 to reimburse attorneys’ fees, and has, among other things, agreed to implement a comprehensive security program to prevent similar breaches from occurring in the future.