On June 7, 2012, the Federal Trade Commission announced settlement agreements with two businesses that allegedly exposed customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on their company computers and networks.
In its complaint against Franklin’s Budget Car Sales (“Franklin”), a Georgia automobile dealership that also provides financing services to its customers, the FTC alleged that Franklin failed to implement reasonable security measures to protect the consumer personal information that Franklin routinely collects in connection with its business. The FTC claimed that personal information of approximately 95,000 customers, including names, Social Security numbers, addresses, dates of birth, and drivers’ license numbers were made available and disclosed by a P2P application installed on a computer that was connected to Franklin’s computer network. In addition to alleging violations of Section 5 of the FTC Act, the FTC also claimed that Franklin violated the Gramm-Leach Bliley Act (“GLB”). This is the first FTC case against an auto dealer involving GLB violations. The FTC stated in its complaint that Franklin failed to implement reasonable security policies and procedures in violation of the GLB Safeguards Rule, and also failed to send consumers annual privacy notices and to provide the required opt-out mechanisms in violation of the GLB Privacy Rule.
In its complaint against Utah-based EPN, Inc. (“EPN”), a provider of debt collection services for clients in a variety of industries, the FTC alleged that, as a result of EPN’s failure to provide reasonable and appropriate security measures for the personal information it collects, a P2P application was installed on a desktop computer connected to the company’s network. According to the complaint, EPN was informed by a client that two files containing personal information of approximately 3,800 consumers (including names, addresses, dates of birth, Social Security numbers, employer names, employer addresses, health insurance numbers and diagnosis codes), were available on the P2P network and could be viewed or downloaded by anyone using a computer with access to the network.
The proposed settlements with Franklin and EPN bar the companies from misrepresenting their privacy and information security practices with regard to personal information, and the settlement with Franklin bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. The settlement agreements also require both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.