FTC charges two firms with leaking customer data on P-to-P networks

FTC charges two firms with leaking customer data on P-to-P networks

For the first time, the agency goes after businesses for allowing P-to-P software on their networks

In a first for the U.S. Federal Trade Commission, the agency has filed charges against two businesses that allegedly allowed consumer personal data to be leaked through P-to-P (peer-to-peer) software installed on their networks.

In complaints released Thursday, the FTC alleged that EPN, a Provo, Utah, debt collection firm doing business as Checknet, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership, exposed the sensitive personal data of thousands of consumers by allowing P-to-P file-sharing software to be installed on their corporate computer systems.

Proposed settlements with the FTC bar the companies from misrepresenting their privacy and security measures, and require the businesses to establish comprehensive information security programs, the FTC said in a press release.

Checknet, whose clients include health-care providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks, the FTC alleged. The company's chief operating officer installed P-to-P software on the company's system, the agency said.

Before the company discovered and disabled the P-to-P software in April 2008, the P-to-P software shared sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes, of 3,800 hospital patients with other users of the P-to-P software, the FTC said in its complaint.

The company did not have an appropriate information security plan, the FTC alleged. Checknet also failed to assess risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies, the agency said.

The failure to maintain an adequate cybersecurity program was an unfair business practice that violates U.S. law, the agency said.

Checknet is "eager" to follow all of the FTC guidelines in its settlement with the agency, the company said in a statement. The company "never intended to cause harm," it said. It called the problem a "one-time, isolated incident" that caused no identity theft or fraud, and said it has made significant improvements to its security.

"This was an unfortunate incident that was immediately corrected," Jessica Devenish, CEO of Checknet, said in the statement. "We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind."

The incident has led to "broad introspection" at the company, she added. "This event has strengthened our resolve to look into the 'nooks and crannies' of our operation, find weakness, and make corrections," she said. "While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves."

In a separate case, the FTC charged that auto dealer Franklin's Budget Car Sales, also known as Franklin Toyota/Scion, also allowed P-to-P software on its network.

Franklin's privacy policy said the company restricts "nonpublic personal information about you to only those employees who need to know that information." The company also said that it maintained "physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information."

The P-to-P software on Franklin's network shared the names, addresses, Social Security numbers, dates of birth and driver's license numbers of 95,000 customers with other P-to-PP-to-P users, the FTC alleged.

Franklin allegedly failed to prevent and detect unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, the FTC alleged.

Because Franklin offered financial services, the alleged security failures violated the U.S. Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information, the FTC said.

This is the FTC's first action against an auto dealer for GLB violations.

Under a settlement with the FTC, Franklin must maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.

A representative of Franklin declined to comment on the FTC charges.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

ARN Survey on MSPs
ARN needs to profile the Managed Service Provider (MSP) in YOU!, so please spare a moment and TAKE THE MSP SURVEY NOW

Follow Us

Join the ARN newsletter!

Error: Please check your email address.



IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

Klikon Solutions held a Charity Golf Day out at Macquarie Links in Sydney to help raise money for charities Ronald McDonald House and Save our Sons. ARN was onhand in blistering 39 degree conditions to witness all the worm burners first hand. Pictures by Allan Swann

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)
IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

Exclusive Networks, in conjunction with LogRhythm and FireEye, held an event to focus on fighting cybercrime with disruptive technologies at the Hayden Orpheum Theatre in Sydney. As part of the 007 - Spectre film theme, guests were invited to attend in their best James Bond attire. Pictures by Allan Swann

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)
IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos)

IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos)

This exclusive ARN roundtable highlighted the opportunities and trends in the data protection market, and how the industry has evolved; examined the unique challenges in the hybrid Cloud environment and the associated customer pain points, and highlighted the growing business opportunities for partners. It was sponsored by EMC. Photos by ARN editorial Director, MIKE GEE.

IN PICTURES: ARN Roundtable - Data Protection in the Hybrid Cloud (+28 photos) is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments