Menu
FTC charges two firms with leaking customer data on P-to-P networks

FTC charges two firms with leaking customer data on P-to-P networks

For the first time, the agency goes after businesses for allowing P-to-P software on their networks

In a first for the U.S. Federal Trade Commission, the agency has filed charges against two businesses that allegedly allowed consumer personal data to be leaked through P-to-P (peer-to-peer) software installed on their networks.

In complaints released Thursday, the FTC alleged that EPN, a Provo, Utah, debt collection firm doing business as Checknet, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership, exposed the sensitive personal data of thousands of consumers by allowing P-to-P file-sharing software to be installed on their corporate computer systems.

Proposed settlements with the FTC bar the companies from misrepresenting their privacy and security measures, and require the businesses to establish comprehensive information security programs, the FTC said in a press release.

Checknet, whose clients include health-care providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks, the FTC alleged. The company's chief operating officer installed P-to-P software on the company's system, the agency said.

Before the company discovered and disabled the P-to-P software in April 2008, the P-to-P software shared sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes, of 3,800 hospital patients with other users of the P-to-P software, the FTC said in its complaint.

The company did not have an appropriate information security plan, the FTC alleged. Checknet also failed to assess risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies, the agency said.

The failure to maintain an adequate cybersecurity program was an unfair business practice that violates U.S. law, the agency said.

Checknet is "eager" to follow all of the FTC guidelines in its settlement with the agency, the company said in a statement. The company "never intended to cause harm," it said. It called the problem a "one-time, isolated incident" that caused no identity theft or fraud, and said it has made significant improvements to its security.

"This was an unfortunate incident that was immediately corrected," Jessica Devenish, CEO of Checknet, said in the statement. "We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind."

The incident has led to "broad introspection" at the company, she added. "This event has strengthened our resolve to look into the 'nooks and crannies' of our operation, find weakness, and make corrections," she said. "While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves."

In a separate case, the FTC charged that auto dealer Franklin's Budget Car Sales, also known as Franklin Toyota/Scion, also allowed P-to-P software on its network.

Franklin's privacy policy said the company restricts "nonpublic personal information about you to only those employees who need to know that information." The company also said that it maintained "physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information."

The P-to-P software on Franklin's network shared the names, addresses, Social Security numbers, dates of birth and driver's license numbers of 95,000 customers with other P-to-PP-to-P users, the FTC alleged.

Franklin allegedly failed to prevent and detect unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, the FTC alleged.

Because Franklin offered financial services, the alleged security failures violated the U.S. Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information, the FTC said.

This is the FTC's first action against an auto dealer for GLB violations.

Under a settlement with the FTC, Franklin must maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.

A representative of Franklin declined to comment on the FTC charges.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)

VMware recently held an Asia-Pacific and Japan party for its partners in San Francisco following two days of keynotes and sessions. Whilst mingling and enjoying drinks and finger food, the partners were joined by VMware management who also took the opportunity to let their hair down to have some fun.

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)
IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)

IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)

VMware's sponsors and partners used the opportunity at VMworld 2015 to showcase some of their technologies. At an exhibition hall, these vendors educated those that popped by their stands on these solutions and addressed some of the issues surrounding mobility, datacentres, and the Cloud. SOme of the big names there included f5, Palo Alto Networks, HP, Intel, Samsung, and Symantec.

IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)
IN PICTURES: VMware's VMworld 2015 day 1 (+13 photos)

IN PICTURES: VMware's VMworld 2015 day 1 (+13 photos)

VMware has kicked off VMworld 2015 in San Francisco and the first day saw keynotes from its president and CEO, Carl Eschenbach; executive vice-president and general manager, Bill Fathers; and executive vice-president and general manager of SDDC, Raghu Raghuram; amongst others. VMware also made Cloud-related announcements and demonstrated its latest technology.

IN PICTURES: VMware's VMworld 2015 day 1 (+13 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments