The FTC Charges a Debt Collection Firm and an Auto Dealership with Data Privacy Violations for Exposing Private Information through Peer-to-Peer File Sharing Networks
In a June 7 press release, the Federal Trade Commission (FTC) announced two proposed consent orders – one against a debt collection firm and the other against an auto dealership – for violations involving the public disclosure of private consumer information, including Social Security numbers. In both instances, the data breaches occurred because peer-to-peer (P2P) file sharing software was installed on company computers, which made data on a person's computer available to everyone else connected to that P2P network.
One of the two actions is against EPN, Inc., a debt collector based in Provo, Utah, which provides services to healthcare providers and other clients. The FTC alleges that EPN's chief operating officer installed P2P file sharing software on the company's network, causing the disclosure of Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients. The software was disabled in April 2008, "when EPN was informed by a client that two files containing personal information about the client's debtors were available on a P2P network." The FTC found that, using healthcare terms, EPN had failed to perform a risk assessment and address deficiencies. As such, the FTC found EPN's actions constituted unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act.
The other action is against Franklin's Budget Car Sales, Inc., also d/b/a Franklin Toyota/Scion, out of Statesboro, Georgia. In this case, records for 95,000 individuals were made available on a P2P network, which included names, addresses, Social Security Numbers, birth dates, and driver's license numbers. The FTC noted that while the dealership advised consumers through a privacy policy that it "maintain[s] physical, electronic, and procedural safe guards that comply with federal regulations to guard non public personal information," the dealership failed to have appropriate safeguards in place. The FTC found that the dealership violated Section 5(a) of the FTC Act, Title V, Subtitle A of the Gramm-Leach-Bliley Act, the FTC's Privacy of Customer Financial Information Rule, and the FTC's Standards for Safeguarding Customer Information Rule.
The punishment from the FTC tends to be for a longer period of time than what the Office of Civil Rights doles out in similar circumstances: each company must undergo a security risk assessment from a qualified security professional within the first 180 days after service of the order, and each 2 year period thereafter for 20 years. Although under some circumstances, the FTC will also fine companies, this did not appear to take place in these cases.
The consent agreements are subject to public comment for 30 days (available through July 9), after which the FTC will decide whether to make the proposed consent orders final.
Both the FTC and OCR have made clear that companies that handle sensitive information must take steps to ensure that data is secure. Best practices suggest that a risk assessment must be undertaken on an annual basis and yet again if changes are made in the network infrastructure (e.g., purchase and integration of new equipment, transition to a new data center, closing of an office, etc.).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
