FTC charges companies with leaking confidential information

Share this article:
News Byte: FTC to Look Into Native Advertising
News Byte: FTC to Look Into Native Advertising

The Federal Trade Commission (FTC) has charged auto dealer Franklin's Budget Car Sales, Inc. and debt collection business EPN, Inc. with illegally exposing sensitive personal information of thousands of its consumers by allowing peer to peer (P2P) file-sharing software to be installed on their corporate computer systems without the necessary safeguarding measures, say FTC attorneys Karen Jessica Lyons and Karen Jagielski. 

Settlements with both companies require each to establish comprehensive data security programs and undergo periodic audits.

An employee from EPN, which has numerous commercial clients including retailers and health care facilities, downloaded a P2P program on a business computer, Lyon says – a move that inadvertently led to illegal sharing of private consumer information.

“At the time the P2P program was downloaded, the program's default setting shared a folder that was inadvertently shared in the entire P2P network,” Lyons says. “When this happened, EPN had no policy prohibiting the use of a P2P program.” She adds that EPN should have instituted, among other measures, an instant response plan, risk assessment, data security, and employees trained in the matter of safeguarding sensitive information.

As a result of this lack of security, Lyons says confidential information belonging to 3,800 patients of a hospital was shared on the P2P network. Among the private details released were patient's addresses, health insurance information and social security numbers, Lyons says.  

Jagielski, who worked on the case against Franklin's Budget Car Sales, Inc., says that the sharing of that company's sensitive client information on a P2P appears to have also been inadvertent and a gross result of failing to “identify foreseeable external risks to their customer's information, and a failing to design and implement safeguards to secure that information.”

Jagielski states this safeguarding process must be ongoing. Consequently, 95,000 consumers had their information including social security numbers and driver's license numbers exposed on Franklin's P2P network.  

Both Lyons and Jagielski say P2P file sharing poses a vital risk for businesses. “The concern is that businesses will permit these sorts of programs to be downloaded to their computers on which they have sensitive info,” Jagielski says. “They must be aware of the risks involved, and make sure they are doing all they can to address these concerns.”

Lyons says that part of what's so crucial about exposing information on a P2P is that it's virtually impossible to retract. “Even if you remove the software program and cut off access to sensitive files, if someone else has downloaded the information once, they can potentially upload it again.” She adds that with information like social security numbers leaked, the dangers are especially grim as “social security numbers are persistent identifiers that you can't change.”

The settlement order with EPN bars company misrepresentations about its privacy policies and requires EPN to establish and maintain a comprehensive information security program, Lyons says. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years. The settlement agreement with Franklin will also bar misrepresentations about its privacy measures and bars Franklin from further violating the GLB Safeguards Rule and Privacy Rule. Franklin Auto must also establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years, Jagielski says.   

Share this article:
You must be a registered member of Direct Marketing News to post a comment.

Sign up to our newsletters

Follow us on Twitter @dmnews

Latest Jobs:

Featured Listings

More in Data/Analytics

Acxiom East?

Acxiom East?

Ogilvy & Mather launches OgilvyAmp, a think tank for data-driven marketers headed by expatriates from Little Rock's best-known data company.

Epicor to Acquire Analytics Provider QuantiSense

Epicor to Acquire Analytics Provider QuantiSense

Retail solutions provider seeks to up its data analytics game for large and midsized retailers.

One Third of Companies Fail to Measure Data Quality ROI

One Third of Companies Fail to Measure Data ...

Twenty percent of companies assume their data quality tools pay off, while another 10% doesn't monitor ROI at all.