Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

FTC Reaches Settlements Over P2P Data Breaches

The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software.  According to the FTC, EPN, Inc., a debt collector based in Utah, and Franklin’s Budget Car Sales, Inc. ("Franklin’s"), a Georgia auto dealer, compromised consumers’ personal information by allowing P2P software to be installed on their networks. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.

In its complaint against EPN, Inc., the FTC charged that the debt collection company — whose clients included healthcare providers, commercial credit organizations, and retailers — failed to implement reasonable security measures for personal information on its computers and networks, which enabled its CEO to install a P2P application on her desktop computer.  As a result, files containing personal information about an EPN client’s debtors were made available on a P2P network.  The files contained the information of approximately 3,800 hospital patients, including Social Security numbers, health insurance numbers, and medical diagnosis codes.  

The FTC’s complaint against Franklin’s alleges that the personal information of approximately 95,000 consumers, including Social Security and driver’s license numbers, was exposed after a P2P application was installed on a computer connected to to the auto dealer’s network.  The complaint alleges that Franklin’s violated representations in its privacy policy that it implements reasonable and appropriate measures to protect consumers’ personal information from unauthorized access.  In addition, because the auto dealer, which provides financing services to individual consumers, is a "financial institution" under the Gramm-Leach-Bliley Act (GLBA), the FTC alleged that Franklin’s had violated the GLBA Safeguards Rule (by failing to implement reasonable security policies and procedures) as well as the GLBA Privacy Rule (by failing to provide customers with annual privacy notices and a mechanism for opting out of the sharing of their personal information with unaffiliated third parties).  The action against Franklin’s is the first FTC action against an auto dealer for GLBA violations.

The FTC has previously warned of the security risks presented by P2P software.  In 2010, the agency notified almost 100 organizations that personal information about their customers and/or employees was available on P2P file sharing networks.  Samples of the FTC’s notice letters, which urged the affected organizations to review their security practices and consider notifying the individuals whose information was exposed, are available on the agency’s website. The FTC also has prepared guides for businesses and consumers on reducing the risks of P2P programs.