Employee Use of P2P Software Results in FTC Enforcement Actions
By Mehmet Munur
The Federal Trade Commission announced that it brought two separate enforcement actions against a debt collector and a car dealership because of the unauthorized sharing of sensitive personal information through P2P network software installed by their employees. As is common in most FTC enforcement actions, the companies will be required to cease misrepresentations about privacy and security of personal information, maintain a comprehensive information security program, and submit to third-party security audits for 20 years. These enforcement actions, once again, point to the importance of having privacy policies that align with privacy practices and the importance of having reasonable security practices in place.
The FTC complaint against the debt collector, EPN, alleges that it collected personal information without reasonable and appropriate security. EPN collected name, address, date of birth, gender, Social Security number, employer address, employer phone number, and in the case of healthcare clients, physician name, insurance number, diagnosis code, and medical visit type from its clients for debt collection purposes. EPN’s Chief Operating Officer installed a P2P application on its systems. One of its clients found the files shared on the same network and alerted EPN about it. In fact, EPN shared through this P2P application information about 3800 individuals. EPN did not have a business need for the application. FTC stated that EPN did not have an incident response plan, risk assessment, measures against P2P software use by its employees, and procedures for detecting unauthorized access to personal information. FTC alleged that these were unfair and deceptive practices under the FTC act.
It is interesting that the FTC did not point to a privacy policy for representations relating to the privacy and security of the information collected by EPN—even though EPN, doing business as Checknet, Inc., has a website privacy policy. However, the privacy policy does not have an effective date and it may have been added after the FTC investigation began.
The Federal Trade Commission announced that it brought two separate enforcement actions against a debt collector and a car dealership because of the unauthorized sharing of sensitive personal information through P2P network software installed by their employees. As is common in most FTC enforcement actions, the companies will be required to cease misrepresentations about privacy and security of personal information, maintain a comprehensive information security program, and submit to third-party security audits for 20 years. These enforcement actions, once again, point to the importance of having privacy policies that align with privacy practices and the importance of having reasonable security practices in place.
The FTC complaint against the debt collector, EPN, alleges that it collected personal information without reasonable and appropriate security. EPN collected name, address, date of birth, gender, Social Security number, employer address, employer phone number, and in the case of healthcare clients, physician name, insurance number, diagnosis code, and medical visit type from its clients for debt collection purposes. EPN’s Chief Operating Officer installed a P2P application on its systems. One of its clients found the files shared on the same network and alerted EPN about it. In fact, EPN shared through this P2P application information about 3800 individuals. EPN did not have a business need for the application. FTC stated that EPN did not have an incident response plan, risk assessment, measures against P2P software use by its employees, and procedures for detecting unauthorized access to personal information. FTC alleged that these were unfair and deceptive practices under the FTC act.
It is interesting that the FTC did not point to a privacy policy for representations relating to the privacy and security of the information collected by EPN—even though EPN, doing business as Checknet, Inc., has a website privacy policy. However, the privacy policy does not have an effective date and it may have been added after the FTC investigation began.
The FTC
complaint against the car dealer, Franklin’s Budget Car Sales, alleges that
the dealership shared a privacy
notice with its customers stating that it would restrict access to non-public
personal information and that it maintained physical, electronic, and
procedural safeguards that complying with federal regulations. The dealership then
collected personal information such as names, Social Security numbers,
addresses, telephone numbers, dates of birth, and drivers’ license numbers from
consumers. FTC also alleges that the dealership did not provide an annual
notice. Currently, Franklin Toyota’s website privacy policy
shows the model privacy
clauses—instead of a web privacy policy. They are also still the model
form—without some of the choices for creating the form having been made. FTC
alleges that the dealership failed to put into place reasonable security
procedures—similar to EPN’s alleged failures. As a result of those failures, information
relating to 95,000 consumers was shared on the P2P networks. Therefore, the FTC
alleged violations of the Section 5 of the FTC Act (for misrepresenting its
privacy and security measures in its privacy notice), Safeguards Rule of the
GLBA (for failing to implement reasonable security practices), and the Privacy
Rule of the GLBA (for failure to send annual privacy policies).
Both companies agreed to similar terms as a result of these
complaints. The consent order with the
dealership requires it not to misrepresent its privacy, security, and
confidentiality of personal information it collects nor violate GLBA. It also requires
the dealership to designate an employee accountable for information security,
conduct a risk assessment, design and implement reasonable safeguards, among
other things. The dealership must also submit to third-party assessments once every
two years for 20 years. The debt collector’s consent
order is similar—but for the GLBA requirements.
There are several lessons to be learned from the enforcement
actions—some new, some old.
First, the enforcement action highlights the importance of
having a privacy policy and abiding by the letter and spirit of that privacy
policy to avoid an enforcement action under the FTC Act. Google,
Facebook,
Twitter
and others ran into this same trap of having a privacy policy that did not
align with their privacy and security practices.
Second, failure to have reasonable security without making any
representations regarding the importance of privacy and security to an
organization can still result in an enforcement action—especially where the
harm to consumers may include sharing of sensitive personal information. Here,
the FTC seemed perturbed by the fact that some of the personal information
shared with the P2P networks may never be taken out of circulation due to the decentralized
nature of P2P networks. In fact, some of this information likely included
information relating to healthcare procedures.
Finally, the FTC appears to be following a “study, report,
then bring enforcement actions” plan for topics of interest—as any reasonable
regulator should. In the P2P space, the FTC obtained comments and looked at consumer
protection and competition issues in a 2005 staff report.
More recently, the FTC completed a study on widespread data
breaches as a result of P2P software use by businesses in 2010 and notified
about 100 organizations. The FTC also published guides for consumers
and businesses
relating to the P2P software use. Then, the FTC had an enforcement action against
Frostwire LLC for the default settings in the P2P software that shared too
much personal information. Now, the FTC brings this enforcement action against
businesses that cause breaches due to the use of P2P software. The FTC has been
following a similar study-report-bring-enforcement-actions plan with mobile privacy,
mobile payments, and behavioral advertising issues. Therefore, I would expect more
enforcement actions in those fields as a result of the plan FTC has been
carrying out in this P2P area.
These latest enforcement actions are reminders that
businesses must pay attention to their privacy and security practices or risk
being subject to onerous consent orders prescribing privacy and security programs.
Labels: Federal Trade Commission, FTC, GLBA, information security, privacy policy, security
posted by Mehmet Munur at
4:16 PM
0 Comments
RSS Feed