CybersecurityFTC charges businesses exposed sensitive information on P2P file-sharing networks

The U.S. Federal Trade Commission (FTC) says that in its ongoing efforts to safeguard consumers’ private information, it has charged two businesses [complaint 1 | complaint 2] with illegally exposing the sensitive personal information of thousands of consumers by allowing peer to peer file-sharing software to be installed on their corporate computer systems. The agency says that settlements with the debt collection business and auto dealer will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information.  Both companies must establish and maintain comprehensive information security programs.

The FTC says that P2P technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. The FTC has found, however, that P2P software can pose significant data security risks. A 2010 FTC examination of P2P-related breaches uncovered a wide range of sensitive consumer data available on P2P networks, including health-related information, financial records, and driver’s license and social security numbers.

Files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. Generally, a file that has been shared cannot be permanently removed from the P2P network. In addition, files can be shared among computers long after they have been deleted from the original source computer.

The FTC alleged that EPN, Inc., a debt collector based in Provo, Utah whose clients have included healthcare providers, commercial credit organizations, and retailers, failed to implement reasonable security measures for personal information on its computers and networks. As a result of these failures, EPN’s chief operating officer was able to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.

The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, such as scanning its networks to identify any P2P file-sharing applications operating on them, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks. According to the agency, the failure to implement reasonable and appropriate data security measures was