The FTC Charges a Debt Collection Firm and an Auto Dealership
with Data Privacy Violations for Exposing Private Information
through Peer-to-Peer File Sharing Networks
In a June 7 press release, the Federal Trade Commission (FTC)
announced two proposed consent orders – one against a
debt collection firm and the other against an auto dealership
– for violations involving the public disclosure of
private consumer information, including Social Security numbers. In
both instances, the data breaches occurred because peer-to-peer
(P2P) file sharing software was installed on company computers,
which made data on a person's computer available to everyone
else connected to that P2P network.
One of the two actions is against EPN, Inc., a debt collector
based in Provo, Utah, which provides services to healthcare
providers and other clients. The FTC alleges that EPN's chief
operating officer installed P2P file sharing software on the
company's network, causing the disclosure of Social Security
numbers, health insurance numbers and medical diagnosis codes of
3,800 hospital patients. The software was disabled in April 2008,
"when EPN was informed by a client that two files containing
personal information about the client's debtors were available
on a P2P network." The FTC found that, using healthcare terms,
EPN had failed to perform a risk assessment and address
deficiencies. As such, the FTC found EPN's actions constituted
unfair or deceptive acts or practices in violation of Section 5(a)
of the FTC Act.
The other action is against Franklin's Budget Car Sales,
Inc., also d/b/a Franklin Toyota/Scion, out of Statesboro, Georgia.
In this case, records for 95,000 individuals were made available on
a P2P network, which included names, addresses, Social Security
Numbers, birth dates, and driver's license numbers. The FTC
noted that while the dealership advised consumers through a privacy
policy that it "maintain[s] physical, electronic, and
procedural safe guards that comply with federal regulations to
guard non public personal information," the dealership failed
to have appropriate safeguards in place. The FTC found that the
dealership violated Section 5(a) of the FTC Act, Title V, Subtitle
A of the Gramm-Leach-Bliley Act, the FTC's Privacy of Customer
Financial Information Rule, and the FTC's Standards for
Safeguarding Customer Information Rule.
The punishment from the FTC tends to be for a longer period of
time than what the Office of Civil Rights doles out in similar
circumstances: each company must undergo a security risk assessment
from a qualified security professional within the first 180 days
after service of the order, and each 2 year period thereafter for
20 years. Although under some circumstances, the FTC will also fine
companies, this did not appear to take place in these cases.
The consent agreements are subject to public comment for 30 days
(available through July 9), after which the FTC will decide whether
to make the proposed consent orders final.
Both the FTC and OCR have made clear that companies that handle
sensitive information must take steps to ensure that data is
secure. Best practices suggest that a risk assessment must be
undertaken on an annual basis and yet again if changes are made in
the network infrastructure (e.g., purchase and integration of new
equipment, transition to a new data center, closing of an office,
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Entities regulated by the Securities and Exchange Commission, such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission, such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.