The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees.

DealerBuilt notified impacted individuals in early 2017. The New Jersey investigation arose after that notification. To resolve the investigation, DealerBuilt agreed with the AG to put in place a written security program within 120 days after the effective date of the order. Such programs are not required under New Jersey law. As part of that program, DealerBuilt agreed to have appropriate physical safeguards, encryption, access protocols and other similar security measures, as well as to appoint an officer experienced in security to implement and maintain the program. DealerBuilt also agreed to keep information only for the purposes needed to “accomplish the intended purpose” of DealerBuilt or its clients. DealerBuilt will pay a little over $80,000 as part of the settlement.

Putting it Into Practice: This order gives companies some insight into what the New Jersey attorney general expects of companies with respect to data security, including a written security program, even absent a New Jersey law requiring written security programs (which exist in other states, like Massachusetts).