FTC charges two firms with leaking customer data on P-to-P networks

For the first time, the agency goes after businesses for allowing P-to-P software on their networks

In a first for the U.S. Federal Trade Commission, the agency has filed charges against two businesses that allegedly allowed consumer personal data to be leaked through P-to-P (peer-to-peer) software installed on their networks.

In complaints released Thursday, the FTC alleged that EPN, a Provo, Utah, debt collection firm doing business as Checknet, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership, exposed the sensitive personal data of thousands of consumers by allowing P-to-P file-sharing software to be installed on their corporate computer systems.

Proposed settlements with the FTC bar the companies from misrepresenting their privacy and security measures, and require the businesses to establish comprehensive information security programs, the FTC said in a press release.

Checknet, whose clients include health-care providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks, the FTC alleged. The company's chief operating officer installed P-to-P software on the company's system, the agency said.

Before the company discovered and disabled the P-to-P software in April 2008, the P-to-P software shared sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes, of 3,800 hospital patients with other users of the P-to-P software, the FTC said in its complaint.

The company did not have an appropriate information security plan, the FTC alleged. Checknet also failed to assess risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies, the agency said.

The failure to maintain an adequate cybersecurity program was an unfair business practice that violates U.S. law, the agency said.

Checknet is "eager" to follow all of the FTC guidelines in its settlement with the agency, the company said in a statement. The company "never intended to cause harm," it said. It called the problem a "one-time, isolated incident" that caused no identity theft or fraud, and said it has made significant improvements to its security.

"This was an unfortunate incident that was immediately corrected," Jessica Devenish, CEO of Checknet, said in the statement. "We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind."

The incident has led to "broad introspection" at the company, she added. "This event has strengthened our resolve to look into the 'nooks and crannies' of our operation, find weakness, and make corrections," she said. "While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves."

In a separate case, the FTC charged that auto dealer Franklin's Budget Car Sales, also known as Franklin Toyota/Scion, also allowed P-to-P software on its network.

Franklin's privacy policy said the company restricts "nonpublic personal information about you to only those employees who need to know that information." The company also said that it maintained "physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information."

The P-to-P software on Franklin's network shared the names, addresses, Social Security numbers, dates of birth and driver's license numbers of 95,000 customers with other P-to-PP-to-P users, the FTC alleged.

Franklin allegedly failed to prevent and detect unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, the FTC alleged.

Because Franklin offered financial services, the alleged security failures violated the U.S. Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information, the FTC said.

This is the FTC's first action against an auto dealer for GLB violations.

Under a settlement with the FTC, Franklin must maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.

A representative of Franklin declined to comment on the FTC charges.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?