FTC Proposes Settlements for Peer-to-peer File-sharing Data Breaches | Practical Law

FTC Proposes Settlements for Peer-to-peer File-sharing Data Breaches | Practical Law

The Federal Trade Commission has announced proposed settlements with two different businesses over charges that each had separately violated the FTC Act by failing to implement reasonable and appropriate data security measures. Each business allegedly permitted peer-to-peer (P2P) file-sharing software to be installed on its corporate computer systems, making sensitive customer information available to the P2P networks.

FTC Proposes Settlements for Peer-to-peer File-sharing Data Breaches

Practical Law Legal Update 7-519-8040 (Approx. 3 pages)

FTC Proposes Settlements for Peer-to-peer File-sharing Data Breaches

by PLC Intellectual Property & Technology
Published on 11 Jun 2012USA (National/Federal)
The Federal Trade Commission has announced proposed settlements with two different businesses over charges that each had separately violated the FTC Act by failing to implement reasonable and appropriate data security measures. Each business allegedly permitted peer-to-peer (P2P) file-sharing software to be installed on its corporate computer systems, making sensitive customer information available to the P2P networks.
The FTC announced in a June 7, 2012, press release two proposed consent orders to settle claims of FTC violations against two businesses, EPN, Inc. and Franklin's Budget Car Sales, Inc. The complaints against both businesses asserted that the lack of adequate data security safeguards allowed personnel to install peer-to-peer (P2P) file-sharing software on their corporate computer systems. The installations allegedly allowed thousands of consumers' personal information to be illegally exposed to the P2P networks.

EPN Settlement

In its complaint against EPN, the FTC asserted that EPN violated the FTC Act by failing to implement reasonable network security measures protecting its consumers' personal information. These failures allowed EPN's chief operating officer to install P2P file-sharing software on the corporate computer system, causing sensitive information to be made available to any computer connected to the P2P network. The exposed information included consumers' Social Security numbers and health insurance numbers.
Specifically, the FTC charged that EPN failed to:
  • Have an appropriate information security plan.
  • Assess risks to consumer information.
  • Adequately train employees.
  • Use reasonable measures to enforce security policy compliance.
  • Use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.
The proposed FTC settlement order with EPN:
  • Bars misrepresentations about the privacy, security, confidentiality and integrity of personal information.
  • Requires EPN to establish and maintain a comprehensive information security program.
  • Requires data security audits by independent auditors every other year for 20 years.

Franklin Settlement

The FTC alleged similar FTC Act violations in its complaint against Franklin, a car dealer that provides financing for its customers to buy and lease cars. Because Franklin is a financial institution, the complaint further alleged that the security failures violated the Gramm-Leach-Bliley Safeguards Rule. The exposed information included names, addresses, Social Security Numbers, dates of birth and driver's license numbers.
Specifically, the FTC charged that Franklin failed to:
  • Assess risks to consumer information.
  • Adopt policies to prevent or limit unauthorized disclosure of information.
  • Prevent, detect and investigate unauthorized access to personal information on its networks.
  • Adequately train employees.
  • Employ reasonable measures to respond to unauthorized access to personal information.
  • Provide annual privacy notices and a consumer opt out mechanism, in violation of the Gramm-Leach-Bliley Privacy Rule.
The proposed FTC settlement order with Franklin:
  • Bars misrepresentations about the privacy, security, confidentiality and integrity of personal information collected from consumers.
  • Bars future violations of the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule.
  • Requires Franklin to establish and maintain a comprehensive information security program.
  • Requires data security audits by independent auditors every other year for 20 years.

Publication and Public Comment

Descriptions of the consent agreement packages will appear in the Federal Register. The agreements are subject to public comment for 30 days, through July 9, 2012, after which the FTC will decide whether to make the proposed consent order final. Written comments may be submitted to the FTC website by using:
  • Comment Form to comment on proposed settlement with EPN, Inc.
  • Comment Form to comment on proposed settlement with Franklin’s Budget Car Sales, Inc.