By Brian Ryoo

The Federal Trade Commission (“FTC”) reached separate settlements with two companies it had accused of exposing sensitive personal information through peer-to-peer (“P2P”) file-sharing software installed on their corporate networks.  The complaints filed against the companies alleged that the companies failed to have in place adequate information security policies and procedures, risk assessment protocols, employee training, or other internal compliance measures.

  • According to the complaint filed against EPN, Inc., which provides debt collection services, EPN’s failure to implement reasonable network security measures allowed its Chief Operating Officer to install P2P file-sharing software on the corporate computer system.  According to the Commission, as a result, any computer connected to the P2P network could access to sensitive information, including Social Security Numbers, health insurance numbers, and the medical diagnosis codes of 3,800 hospital patients.
  • The FTC’s complaint against Franklin’s Budget Car Sales, a car dealership that also provides financing services, alleged that file-sharing software installed on the company’s network had exposed sensitive information―including names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers―belonging to 95,000 customers. 

The Franklin complaint is the FTC’s first action involving an automobile dealer charged with violations of the Gramm-Leach-Bliley Act.   Both actions involved violations of Section 5 of the FTC Act.  The settlement agreements bar misrepresentation about the company’s privacy and information security practices, require the businesses to maintain comprehensive information security programs, and require the companies to undergo periodic data security audits by independent auditors.  

These settlements come on the heels of the FTC’s 2010 report on the dangers of P2P file-sharing.  In that report, the Commission found that a “wide range of sensitive consumer data was available on P2P networks.”