FTC charges businesses exposed sensitive information on P2P file-sharing networks

an unfair act or practice and violated federal law.

The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for twenty years.

In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, of Statesboro, Georgia, compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.

Franklin sells and leases cars and provides financing for its customers. According to the FTC, its privacy policy said, “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information.”

The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.

The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information. Because Franklin is a financial institution, the alleged security failures violated the Gramm-Leach-Bliley (GLB) Safeguards Rule as well as Section 5 of the FTC Act. Franklin also allegedly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties, in violation of the GLB Privacy Rule. This is the FTC first action against an auto dealer charging GLB violations.

The agency says that the settlement agreement with Franklin will bar misrepresentations about the privacy, security, confidentiality, and integrity of personal information collected from consumers. It bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. Under the settlement, Franklin Auto must also establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for twenty years.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 5-0.