Advertising, Marketing & Privacy Law Practice

The FTC recently announced that it settled charges with two businesses for exposing sensitive personal information of thousands of consumers through use of peer-to-peer (“P2P”) software. In the first case, EPN, Inc., a debt collector whose clients include healthcare providers and commercial credit companies, allowed P2P file-sharing software on its Chief Operating Officer’s computer. The P2P software enabled social security numbers, health insurance numbers, and medical diagnosis codes of hospital patients to be available to any computer connected to the P2P network. In the second case, Franklin’s Budget Car Sales, Inc. allowed P2P software on employee computers, which resulted in unauthorized access to names, addresses, social security numbers, dates of birth, and driver’s license numbers of its auto sale and lease customers. Franklin’s privacy policy stated that “We restrict access to nonpublic personal information about you to only those employees who need to know that information to provide products and services to you.” The FTC charged both companies with failing to: (1) assess risks to the consumer information it collected or stored online; (2) adopt policies to prevent or limit customer information from unauthorized disclosure; (3) prevent, detect, and investigate unauthorized access to personal information on its networks; and (4) adequately train employees on safeguarding private consumer information. Both companies were charged with committing “unfair acts” in violation of Section 5 of the FTC Act. Further, because Franklin’s is a financial institution, the FTC charged that its security failures violated the Gramm-Leach-Bliley Safeguards Rule. Both EPN and Franklin’s are barred by the settlements from misrepresenting the privacy, security, confidentiality, and integrity of personal information collected from consumers. The companies must also establish and maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.

TIP: Since releasing a 2010 report on P2P-related data security breaches, the FTC has taken a keen interest in P2P privacy issues. Companies that have P2P software on their corporate computer systems should take affirmative steps—such as preventing and responding to unauthorized access and training employees—to maintain the security of information when P2P software is used on their systems.