In the FTC announcement of the probe, the agency says personal information, including sensitive data about customers and/or employees, "has been shared from the organizations' computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud."
The agency says it also has begun "non-public investigations" of other companies whose customer or employee information has been exposed on P2P networks. The FTC says it will help businesses manage the security risks presented by file-sharing software by releasing new education materials that present the risks and recommend ways to manage them.
When asked if the nearly 100 organizations could be named -- or if any of the 100 were in financial services -- an FTC insider declined, citing privacy requirements, but the announcement says that "letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction."
P2P technology, which is widely used to play games, make online telephone calls, share music, video and documents, also has potentially dangerous security implications. When P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.
"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk. For example, we found health-related information, financial records, and drivers' license and social security numbers--the kind of information that could lead to identity theft," says FTC Chairman Jon Leibowitz in the FTC's announcement. "Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing," Leibowitz concludes.
The FTC source also says that in the sample letters that the FTC released, some reference is made to "the right to take action against you based on past or future law violations." The FTC says it enforces laws that require companies to "take reasonable and appropriate security measures to protect sensitive personal information," including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act. Failure to prevent such information from being shared to a P2P network may violate such laws.
An historical look at past FTC cases shows that no information security case before has involved P2P networks.
The FTC source says the notices went to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly-held corporations employing tens of thousands.
Just because a company got a letter doesn't mean it has violated any law enforced by the FTC.