Remove any P2P filesharing software from your network or be prepared to enter into a 20-year relationship with the Federal Trade Commission. This is what will happen to EPN, Inc., a debt collection business based in Provo, Utah and to Franklin’s Budget Car Sales, Inc., of Statesboro, Georgia, a car dealership. In both cases, the P2P software caused sensitive personal information of thousands of consumers to be accessible to users of other computers connected to the same peer-to-peer network.
On June 7, 2012, the FTC published proposed settlement agreements with these two businesses because they had allowed peer-to-peer file sharing software to be installed on their network.
The FTC case against EPN, Inc. alleges that the lack of security measures at the company allowed the company’s COO to install P2P file-sharing software on the company’s network. As a result, sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients were available to any computer connected to the P2P network.
The case against Franklin’s Budget Car Sales, Inc. alleges that the installation of P2P software on the company’s network resulted in sensitive financial information of 95,000 consumers such as, names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers to be made available on the P2P network.
In both cases, the companies were charged with failure to observe commonly used best practices:
- Failure to have an appropriate information security plan;
- Failure to assess risks to the consumer information collected and stored online;
- Failure to use reasonable measures to ensure security of the network, such as scanning its networks to identify any P2P file-sharing applications operating on them
- Failure to adopt policies to prevent or limit unauthorized disclosure of information;
- Failure to prevent, detect and investigate unauthorized access to personal information on the company’s networks;
- Failure to adequately train employees;
- Failure to employ reasonable measures to respond to unauthorized access to personal information.
Failure to implement reasonable and appropriate data security measures as described above was an unfair act or practice and violated federal law, namely Section 5 of the FTC Act. In addition, Franklin Car Sales, as a “financial institution” subject to the Gramm-Leach-Bliley Act (GLBA) was found to have violated both the GLBA Safeguards Rule and Privacy Rule by failing to provide annual privacy notices and a mechanism by which consumers could opt out of information sharing with third parties.
The proposed consent order against EPN and Franklin would require the companies to establish and maintain comprehensive information security programs, and cease any misrepresentation about their data handling practices. The settlement orders with the two companies are substantially similar. They:
- Bar any future misrepresentations about the privacy, security, confidentiality, and integrity of any personal information;
- Require the companies to establish and maintain a comprehensive information security program; and
- Require the companies to undergo data security audits by independent auditors every other year for 20 years.
As always with FTC consent orders, each violation of such an order may result in a civil penalty of up to $16,000.