FTC Highlights P2P Network Risks2 Settlements in Cases That Exposed Data on 100,000
The Federal Trade Commission has reached settlement agreements with a debt collector and an automobile dealership charged with exposing sensitive consumer information on peer-to-peer file-sharing networks.
The debt collector incident affected 3,800 hospital patients; the auto dealer case affected 95,000 individuals, according to an FTC statement. The settlement agreements, which do not mention financial penalties, call for both businesses to establish and maintain comprehensive information security programs and undergo biennial data-security audits conducted by independent auditors for the next 20 years.
The FTC claims both businesses allowed peer-to-peer file-sharing software to be installed on their corporate computer systems, violating the businesses' obligation to protect consumer privacy and the security, confidentiality and integrity of personal information.
The case against the auto dealer also includes violations of the Gramm-Leach-Bliley Safeguards Rule.
Peer-to-peer technology can be used in many ways, such as to play games and make online telephone calls. Peer-to-peer file-sharing software also allows network users to share music, videos and documents.
In 2010, through an examination of peer-to-peer-related breaches, the FTC found that peer-to-peer networks also allow stored consumer data to be shared.
Files shared on peer-to-peer networks are available for viewing or downloading by any computer that accesses the network and they typically cannot be removed. Even when files are deleted from the original source computer, they can be shared among computers still connected to the network.
Debt Collector Case
In its case against Provo, Utah-based debt collector EPN Inc., the FTC says EPN exposed sensitive consumer information, including Social Security numbers, health insurance numbers and medical diagnosis codes, on 3,800 hospital patients after its chief operating officer installed peer-to-peer file-sharing software on a corporate computer. EPN's clients include healthcare providers, commercial credit organizations and retailers.
The FTC says EPN did not have an appropriate information security plan, failed to assess risks to stored consumer information, did not adequately train employees, did not use reasonable measures to enforce compliance with internal security policies, and failed to use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.
Auto Dealer Incident
In a separate case against Franklin's Budget Car Sales Inc., an auto dealer in Statesboro, Ga., the FTC alleges Franklin compromised consumers' personal information by allowing P2P software to be installed on its network.
Franklin sells and leases cars and provides financing. Because of its financing function, Franklin is considered a financial institution, meaning its alleged security failures violated GLB safeguards, as well as Section 5 of the FTC Act.
The FTC also determined that Franklin failed to provide annual privacy notices as well as a mechanism for consumers to opt out of information-sharing with third parties, which also violates the GLB Privacy Rule.
As a result of its lax security, information about 95,000 consumers was made available on Franklin's peer-to-peer network, according to the FTC. The information included names, addresses, Social Security numbers, dates of birth and driver's license numbers.
The FTC claims Franklin failed to adequately assess risks to consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. The company also failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, according to the FTC.
In its settlement with Franklin, because of the auto dealer's financing program, the FTC has barred it from future violations of GLB safeguards and privacy rules.
The consent orders for both cases are open for public comment until July 9.