The Federal Trade Commission announced settlements with Utah-based debt collector EPN, Inc. and Georgia-based Franklin’s Budget Car Sales, Inc. over charges concerning the illegal exposure of consumers’ sensitive personal data. The FTC said:
P2P technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But the FTC has found that P2P software can pose significant data security risks. A 2010 FTC examination of P2P-related breaches uncovered a wide range of sensitive consumer data available on P2P networks, including health-related information, financial records, and driver’s license and social security numbers. […]
The FTC alleged that EPN, Inc., a debt collector based in Provo, Utah whose clients have included healthcare providers, commercial credit organizations and retailers, failed to implement reasonable security measures for personal information on its computers and networks. As a result of these failures, EPN’s chief operating officer was able to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network. […]
The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years.
In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, of Statesboro, Georgia, compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network. […]
The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers. […]
The settlement agreement with Franklin will bar misrepresentations about the privacy, security, confidentiality, and integrity of personal information collected from consumers. It bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. Under the settlement, Franklin Auto must also establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.