By Brian Ryoo

The Federal Trade Commission (“FTC”) reached separate settlements with two companies it had accused of exposing sensitive personal information through peer-to-peer (“P2P”) file-sharing software installed on their corporate networks.  The complaints filed against the companies alleged that the companies failed to have in place adequate information security policies and procedures, risk assessment protocols, employee training, or other internal compliance measures.

  • According to the complaint filed against EPN, Inc., which provides debt collection services, EPN’s failure to implement reasonable network security measures allowed its Chief Operating Officer to install P2P file-sharing software on the corporate computer system.  According to the Commission, as a result, any computer connected to the P2P network could access to sensitive information, including Social Security Numbers, health insurance numbers, and the medical diagnosis codes of 3,800 hospital patients.
  • The FTC’s complaint against Franklin’s Budget Car Sales, a car dealership that also provides financing services, alleged that file-sharing software installed on the company’s network had exposed sensitive information―including names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers―belonging to 95,000 customers. 

The Franklin complaint is the FTC’s first action involving an automobile dealer charged with violations of the Gramm-Leach-Bliley Act.   Both actions involved violations of Section 5 of the FTC Act.  The settlement agreements bar misrepresentation about the company’s privacy and information security practices, require the businesses to maintain comprehensive information security programs, and require the companies to undergo periodic data security audits by independent auditors.  

These settlements come on the heels of the FTC’s 2010 report on the dangers of P2P file-sharing.  In that report, the Commission found that a “wide range of sensitive consumer data was available on P2P networks.” 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.