The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. According to the FTC, EPN, Inc., a debt collector based in Utah, and Franklin’s Budget Car Sales, Inc. ("Franklin’s"), a Georgia auto dealer, compromised consumers’ personal information by allowing P2P software to be installed on their networks. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.
In its complaint against EPN, Inc., the FTC charged that the debt collection company — whose clients included healthcare providers, commercial credit organizations, and retailers — failed to implement reasonable security measures for personal information on its computers and networks, which enabled its CEO to install a P2P application on her desktop computer. As a result, files containing personal information about an EPN client’s debtors were made available on a P2P network. The files contained the information of approximately 3,800 hospital patients, including Social Security numbers, health insurance numbers, and medical diagnosis codes.
The FTC has previously warned of the security risks presented by P2P software. In 2010, the agency notified almost 100 organizations that personal information about their customers and/or employees was available on P2P file sharing networks. Samples of the FTC’s notice letters, which urged the affected organizations to review their security practices and consider notifying the individuals whose information was exposed, are available on the agency’s website. The FTC also has prepared guides for businesses and consumers on reducing the risks of P2P programs.