Flying “under the radar” this week as a result of the high profile LinkedIn data breach, was news that the Federal Trade Commission charged two businesses with illegally exposing the sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems. P2P software is commonly used to play games, make online telephone calls, and share software, music, videos and documents. If not configured correctly, however, files not intended for sharing may be accessible to anyone on the P2P network. Once shared, a file usually cannot be permanently removed from the P2P network.
In February 2010, the FTC issued a warning about the improper release of sensitive consumer data on P2P file-sharing networks. FTC Chairman, Jon Leibowitz, recommended that “[c]ompanies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs . . . should ensure that their software design does not contribute to inadvertent file sharing.”
Fast-forward two years, the FTC recently filed two complaints against businesses that allowed P2P technology to be used on their network, exposing their consumers’ personally identifiable information. The FTC has entered into settlements in both cases, but the lessons learned about a company’s obligation to monitor the type of software installed by its employees are invaluable.
In the first complaint, the FTC alleged that an auto dealer compromised its consumers’ personal information by allowing P2P software to be installed on its network, which led to sensitive financial information being uploaded to the P2P network. The FTC claims that the auto dealer failed to implement “reasonable security measures” such as:
- assessing risks to the consumer information it collected and stored
- adopting policies to prevent or limit unauthorized disclosure of information
- preventing, detecting, and investigating unauthorized access to personal information on its networks
- adequately training employees
- responding to unauthorized access to personal information
- Because the dealer is also a financial institution, it was governed by the Gramm-Leach-Bliley Safeguards Rule, and accordingly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties.
In the second complaint, the FTC charged a debt collection company with failure to implement reasonable security measures after the company’s COO installed a P2P application on her desktop computer that allowed private information of 3,800 of the company’s clients’ customers to leak into the P2P network. The FTC’s complaint details some of the debt collection company’s alleged failures:
- failure to adopt an information security plan that was appropriate for its network and the personal information processed and stored on them
- failure to implement an incident response plan
- failure to assess risks to the consumer information collected and stored online
- failure to adequately train employees about security to prevent unauthorized disclosure of personal information
- failure to assess and enforce compliance with its existing security policies and procedures, such as scanning networks to identify unauthorized P2P file sharing applications and other unauthorized applications operating on the networks or blocking installation of such programs
- failure to prevent, detect, and investigate unauthorized access to personal information on its networks, such as by logging network activity and inspecting outgoing transmissions to the Internet to identify unauthorized disclosures of personal information.
The settlement agreements entered into in both cases require the companies to, among other things, establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.
So what are the take-aways? First, this is a major warning to companies that the FTC may hold them responsible for software that a company employee installs on her desktop. Second, P2P software can be a significant threat to private information and it is important that companies take steps to monitor and perhaps entirely prevent the use of such software. Third, the terms of settlement show why it is important for companies to be proactive and undergo audits of their information security network, adopt information security policies and procedures, train their employees, and continue staying vigilant against threats to private information stored on their networks before a data breach occurs.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.