On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  The final settlements follow a notice-and-comment period opened to the public in June 2012.

Franklin Budget Car Sales is an automobile dealership that sells new and used automobiles, leases automobiles, provides repair services for automobiles, and sells automobile parts.  Franklin also provides financing for consumers’ purchases of automobiles.  EPN is in the business of collecting debts for clients in a variety of industries, including the commercial credit, retail, and healthcare industries.  Both companies allowed P2P file sharing software, which the FTC in 2010 had warned posed significant data security risks, to be installed on corporate computer systems.  As a result, thousands of consumers’ personal information was potentially shared with other users on the P2P network.  Specifically with respect to EPN, the FTC alleged that the company actually shared the personal information of approximately 3,800 consumers with other users on the P2P network.

The FTC charged Franklin Budget Car Sales with violations of the Gramm-Leach-Bliley Act (GLBA).  GLBA applies to financial institutions, and the FTC treated Franklin as a financial institution because of the financing services it provides consumers in connection with the purchase of automobiles.  In particular, the FTC alleged that Franklin failed to give consumers annual privacy notices and opt-out notices, as required under the GLBA privacy rule, and failed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA safeguards rule.  The FTC also alleged that Franklin violated section 5 of the FTC Act because the privacy statement it gave consumers claimed that the dealership restricted access to consumers’ nonpublic personal information to only employees.  The FTC alleged that EPN violated section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information.

The settlement agreements require both companies to implement comprehensive information security programs to protect the security, confidentiality, and integrity of consumer information.  In addition, Franklin is required to comply with the GLBA privacy rule by sending annual privacy notices to consumers and, if applicable, opt-out notices if the company shares consumer information with nonaffiliated third-parties.  Both companies also are required to obtain initial and biennial information security assessments and reports from an independent third-party to validate the effectiveness of their information security programs.  Among other requirements, the agreements also require the companies to satisfy recordkeeping and reporting requirements.

Although the agreements do not impose civil fines, if either company violates its settlement agreement, the company may be liable for a fine of up to $16,000 per violation.