The Federal Trade Commission (FTC) has charged auto dealer Franklin’s Budget Car Sales, Inc. and debt collection business EPN, Inc. with illegally exposing sensitive personal information of thousands of its consumers by allowing peer to peer (P2P) file-sharing software to be installed on their corporate computer systems without the necessary safeguarding measures, say FTC attorneys Karen Jessica Lyons and Karen Jagielski.
Settlements with both companies require each to establish comprehensive data security programs and undergo periodic audits.
An employee from EPN, which has numerous commercial clients including retailers and health care facilities, downloaded a P2P program on a business computer, Lyon says – a move that inadvertently led to illegal sharing of private consumer information.
“At the time the P2P program was downloaded, the program’s default setting shared a folder that was inadvertently shared in the entire P2P network,” Lyons says. “When this happened, EPN had no policy prohibiting the use of a P2P program.” She adds that EPN should have instituted, among other measures, an instant response plan, risk assessment, data security, and employees trained in the matter of safeguarding sensitive information.
As a result of this lack of security, Lyons says confidential information belonging to 3,800 patients of a hospital was shared on the P2P network. Among the private details released were patient’s addresses, health insurance information and social security numbers, Lyons says.
Jagielski, who worked on the case against Franklin’s Budget Car Sales, Inc., says that the sharing of that company’s sensitive client information on a P2P appears to have also been inadvertent and a gross result of failing to “identify foreseeable external risks to their customer’s information, and a failing to design and implement safeguards to secure that information.”
Jagielski states this safeguarding process must be ongoing. Consequently, 95,000 consumers had their information including social security numbers and driver’s license numbers exposed on Franklin’s P2P network.
Both Lyons and Jagielski say P2P file sharing poses a vital risk for businesses. “The concern is that businesses will permit these sorts of programs to be downloaded to their computers on which they have sensitive info,” Jagielski says. “They must be aware of the risks involved, and make sure they are doing all they can to address these concerns.”
Lyons says that part of what’s so crucial about exposing information on a P2P is that it’s virtually impossible to retract. “Even if you remove the software program and cut off access to sensitive files, if someone else has downloaded the information once, they can potentially upload it again.” She adds that with information like social security numbers leaked, the dangers are especially grim as “social security numbers are persistent identifiers that you can’t change.”
The settlement order with EPN bars company misrepresentations about its privacy policies and requires EPN to establish and maintain a comprehensive information security program, Lyons says. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years. The settlement agreement with Franklin will also bar misrepresentations about its privacy measures and bars Franklin from further violating the GLB Safeguards Rule and Privacy Rule. Franklin Auto must also establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years, Jagielski says.
