Back in 2010, the FTC conducted a probe revealing that a lot of sensitive customer data could be found on P2P networks, uploaded by companies that had pledged to safeguard that data. That led the FTC to investigate more specific impropriety, and today the Federal Trade Commission charged a debt collection agency in Provo, Utah and a car dealership in Statesboro, Georgia with illegally exposing the personal information of thousands of customers.

The FTC’s 2010 probe originally led to an uncovering of “health-related information, financial records, and driver's license and social security numbers” on peer-to-peer networks that had been shared by a legitimate organization’s computer network. As is the nature of P2P, that leaked data was available to any users of the P2P network, and exposed many unwitting citizens to fraud and harm.

Two years later, the FTC is doling out charges against two companies that were caught with computers that had connected to P2P networks and leaked sensitive data belonging to the companies' customers. In the settlement offer extended by the FTC, both companies would be required to disclose their privacy practices more clearly, and would undergo a security audit by the FTC every other year for the next 20 years to ensure compliance.

The first company, EPN, Inc. (otherwise known as Checknet) is a debt collection agency in Provo, Utah, whose clients are healthcare providers, commercial credit organizations, and retailers. The FTC alleges that the company allowed its chief operating officer “to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.”

The second company, Franklin's Budget Car Sales, Inc. of Statesboro, Georgia, which sells cars and provides financing options for buyers, released information belonging to 95,000 of its customers, including names, addresses, Social Security Numbers, dates of birth, and driver's license numbers. The company’s vice president, Dan Cook, was out of the office and could not immediately be reached for comment.

Still, since 2001, the Franklin's Budget Car Sales (also known as Franklin Toyota) assured users in its privacy and data use policy statement that it maintains "physical, electronic, and procedural safe guards that comply with federal regulations to guard non public personal information." The FTC's charges stand in direct contradiction of that statement, and found that the auto dealer violated the commission's prohibition of "unfair or deceptive acts" in commerce.

Naivety about P2P networks led to leaks

What’s startling about these cases is that they seem to have arisen out of pure naivety regarding how peer-to-peer networks work. Rather than some rogue hacker leaking information out of schadenfreude or an employee downloading questionable P2P software that contains detail-gathering spyware, these leaks appear to have come from an employee ignorantly but consciously uploading files to P2P networks, assuming they would be safe. “We have no evidence that there was malicious code in the P2P file sharing software. We also have no evidence that any employee uploaded the data maliciously,” Jessica Lyon, attorney for the FTC’s Division of Privacy and Identity Protection, told Ars regarding the EPN case.

For their part, the EPN is (naturally) very contrite about the issue. In a written statement, President and CEO Jessica Devenish noted that the incident occurred in 2008, writing, "This was an unfortunate incident that was immediately corrected. Since, we have learned considerably in terms of improving our security and infrastructure and stand behind our model today."

Over the phone, Devenish told Ars that the accessory P2P software on the employee's computer was taken down within 24 hours of it being discovered. “At the time, it was a misunderstanding of how P2P works. There was no malicious intent at all,” Devenish said.

EPN said it realizes that files shared on a P2P network can be accessed by any other user on the network. It also asserted that “the incident that led to the FTC complaint was a one-time, isolated event that involved a limited number of records pertaining to one particular client. No identity theft, no material harm, and no fraud has occurred as a result of the incident.” The company confirmed that the client in question was an entity, not an individual, which would explain the FTC’s claim that the records of 3,800 hospital patients were released. Still, Devenish claimed that the FTC’s assessment of the number of affected customers was incorrect. When we contacted her later to follow up on that claim, Devenish could not be reached to elaborate.

Ultimately, the message the FTC sends is that every company collecting data is obligated to take customer security seriously. While an auto dealer in Georgia and a debt collector in Utah may not seem like huge companies to call out among the dozens that the FTC discovered during and after its 2010 probe, the FTC's Lyon said that these two companies weren’t picked out to act as examples. They simply were two companies with strong evidence of mismanagement of data. “Neither of these companies are terribly big,” Lyon said, “but for both of these companies, it’s important that they have reasonable security provisions considering the amount of data that they have” about their thousands of customers.

The FTC voted unanimously for the settlement agreements for the two companies. The commission will publish their agreements and allow 30 days for public comment before voting on the final settlements.