In a first for the U.S. Federal Trade Commission, the agency has filed charges against two businesses that allegedly allowed consumer personal data to be leaked through P-to-P (peer-to-peer) software installed on their networks.
In complaints released Thursday, the FTC alleged that EPN, a Provo, Utah, debt collection firm doing business as Checknet, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership, exposed the sensitive personal data of thousands of consumers by allowing P-to-P file-sharing software to be installed on their corporate computer systems.
Proposed settlements with the FTC bar the companies from misrepresenting their privacy and security measures, and require the businesses to establish comprehensive information security programs, the FTC said in a press release.
Checknet, whose clients include health-care providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks, the FTC alleged. The company’s chief operating officer installed P-to-P software on the company’s system, the agency said.
Before the company discovered and disabled the P-to-P software in April 2008, the P-to-P software shared sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes, of 3,800 hospital patients with other users of the P-to-P software, the FTC said in its complaint.
The company did not have an appropriate information security plan, the FTC alleged. Checknet also failed to assess risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies, the agency said.
The failure to maintain an adequate cybersecurity program was an unfair business practice that violates U.S. law, the agency said.
Checknet is “eager” to follow all of the FTC guidelines in its settlement with the agency, the company said in a statement. The company “never intended to cause harm,” it said. It called the problem a “one-time, isolated incident” that caused no identity theft or fraud, and said it has made significant improvements to its security.
“This was an unfortunate incident that was immediately corrected,” Jessica Devenish, CEO of Checknet, said in the statement. “We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind.”
The incident has led to “broad introspection” at the company, she added. “This event has strengthened our resolve to look into the ‘nooks and crannies’ of our operation, find weakness, and make corrections,” she said. “While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves.”
In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales, also known as Franklin Toyota/Scion, also allowed P-to-P software on its network.
The P-to-P software on Franklin’s network shared the names, addresses, Social Security numbers, dates of birth and driver’s license numbers of 95,000 customers with other P-to-PP-to-P users, the FTC alleged.
Franklin allegedly failed to prevent and detect unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, the FTC alleged.
Because Franklin offered financial services, the alleged security failures violated the U.S. Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information, the FTC said.
This is the FTC’s first action against an auto dealer for GLB violations.
Under a settlement with the FTC, Franklin must maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.
A representative of Franklin declined to comment on the FTC charges.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is firstname.lastname@example.org.