On October 26, 2012, the Federal Trade Commission finalized its settlement agreements with two businesses that allegedly exposed thousands of customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on the companies’ computer systems. The approved settlements prohibit Georgia auto dealer Franklin’s Budget Car Sales, Inc. (“Franklin”) and Utah-based debt collector EPN, Inc. (“EPN”) from misrepresenting their privacy and information security practices and requires both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years. The settlement with Franklin also bars the company from violating the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule and Privacy Rule.

As we reported in June, the FTC alleged in its complaint against Franklin that the company failed to implement reasonable security measures to protect its customers’ personal information, including the names, Social Security numbers, addresses, dates of birth and drivers’ license numbers of approximately 95,000 individuals, by enabling a P2P application to be installed on a computer that was connected to Franklin’s network. The FTC cited violations of Section 5 of the FTC Act and the GLBA Safeguards Rule and GLBA Privacy Rule for Franklin’s failure to implement reasonable security policies, send customers annual privacy notices and provide the requisite opt-out mechanisms. In its complaint against EPN, the FTC alleged that, because the company failed to provide reasonable and appropriate security measures for the personal information it collects, a P2P application was installed on a computer connected to the company’s network that made available the personal information of approximately 3,800 consumers to any computer with access to the network.