The Federal Trade Commission (FTC) announced Thursday that it had reached settlements with two companies that it said exposed sensitive consumer data over peer-to-peer filing-sharing networks. The companies have agreed to data security process audits for the next 20 years.
Peer-to-peer (P2P) file-sharing networks allow users to access files on other users’ computers. The applications are commonly used to share music, videos, and work documents.
The FTC alleged that EPN, Inc. – doing business as Checknet, Inc. — a debt collector based in Provo, Utah, failed to implement reasonable security measures for personal information on its computers and networks. As a result of these failures, EPN’s chief operating officer was able to install P2P file-sharing software on her EPN desktop, which, in 2008, caused a file containing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.
According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.
The settlement order with debt collector EPN/Checknet bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years.
“This was an unfortunate incident that was immediately corrected,” said Jessica Devenish, CEO of Checknet. “Since, we have learned considerably in terms of improving our security and infrastructure and stand behind our model today. We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind.”
The company also noted that the incident that led to the FTC complaint was a one-time, isolated event that involved a limited number of records of one particular client. The client contacted Checknet in April 2008 to tell them that the file was available on a P2P network. Checknet immediately removed the P2P network access from the computer.
According to the company, no identity theft, no material harm, and no fraud has occurred as a result of the incident which occurred four years prior. Checknet said it holds all rules and regulations in high regard in accordance with industry standards. The company will maintain compliance and will perform all audits as required by the FTC consent agreement.
“Although no harm was done it was still an error, and errors have consequences,” said Devenish. “ One of those consequences is dealing with the FTC, through which we will now be closely monitored. The monitoring will reveal the corrective actions we have taken. I am proud to say that Checknet has always been committed to compliance and we will continue to improve our internal procedures to ensure security of confidential data. This event has strengthened our resolve to look into the nooks and crannies of our operation, find weakness, and make corrections. While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves.”
In a separate case, the FTC said that it reached a similar agreement with an auto dealer in Statesboro, Ga. The agency said that Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, also did not have proper security process in place to prevent a P2P file-sharing network interface to be installed on one of its computers. The result was the private information – including names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers – of 95,000 consumers being exposed on the P2P network.
Because Franklin is a financial institution, the alleged security failures violated the Gramm-Leach-Bliley (GLB) Safeguards Rule as well as Section 5 of the FTC Act. Franklin also allegedly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties, in violation of the GLB Privacy Rule.
The FTC noted that this is the first action against an auto dealer charging GLB violations.
The settlement agreement with Franklin will bar misrepresentations about the privacy, security, confidentiality, and integrity of personal information collected from consumers. It bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. Under the settlement, Franklin Auto must also establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.
- A Beginner’s Guide to Data Security Information Security Compliance Audits
- The Debt Collection Compliance Handbook
- “Guaranteeing” Compliance
- The Future of Compliance for the Debt Collection Industry