According to a press release about the charges against EPN Inc. and Franklin's Budget Car Sales Inc., the FTC is alleging that the two companies failed to implement "reasonable security measures" against the installation of P2P software, which is used for trading music and movies, but may leave the involved computers open to data and file theft.
The FTC is seeking settlements with EPN, a debt-collection business, and the auto dealer that will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. The settlement also would require the companies to establish and maintain comprehensive information security programs.
The FTC alleges that EPN's chief operating officer installed P2P file-sharing software on the EPN computer system, causing sensitive information -- including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients -- to be made available to any computer connected to the P2P network.
The agency charged that EPN did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks.
The settlement order requires EPN to undergo data security audits by independent auditors every other year for 20 years.
In a separate case, the FTC charged that auto dealer Franklin’s Budget Car Sales (also known as Franklin Toyota/Scion) compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.
The FTC alleges that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.
The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect, and investigate unauthorized access to personal information on its networks, failed to adequately train employees, and failed to employ reasonable measures to respond to unauthorized access to personal information.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.