On February 22, 2010, the Federal Trade Commission (“FTC”) announced that it notified nearly 100 organizations that personal information about the organizations’ customers or employees is available on peer-to-peer (“P2P”) file sharing networks. . Most recently, it notified nearly 100 businesses and governmental entities through an Internet-wide sweep, the FTC discovered that sensitive data such as health-related information, financial records, drivers’ license numbers, and Social Security numbers have been shared from organizations’ computer networks and are susceptible to those who may use the data for illegal practices such as fraud or identity theft. The Commission has not publicly identified which organizations were notified, but it stated that letters were sent to large and small private and public entities including schools and local governments.
P2P file sharing programs are often used to share documents, and music or video files over the Internet. While an employee’s intended use of a P2P file sharing program may be innocuous, the configuration of the program on an organization’s network may allow unintentional access to the organization’s unsecured files. FTC Chairman Jon Leibowitz stated: “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
If your company has received a notice letter it does not necessarily mean that a law enforced by the FTC has been violated. These letters are designed to urge these organizations to ensure that their data security practices are reasonable and provide the appropriate level of protection. Nonetheless, the FTC has reserved its right to bring an investigation if warranted by the facts of an individual scenario. Further, the FTC urged organizations to examine whether appropriate notice should be provided to customers and employees, as well as law enforcement agencies and the credit bureaus, regarding this disclosure of personal information. Such notice may be required under various state or federal agency data breach notification laws and regulations. The FTC also has opened non-public investigations into other organizations’ data security practices where customer or employee personal information has been made available on a P2P network.
Laws Enforced by the FTC
The FTC is authorized to prohibit unfair or deceptive acts or practices under Section 5 of the FTC Act, and the Commission also enforces laws and regulations affecting privacy and security in specific industries, such as the Gramm-Leach-Bliley Act. Under these laws, companies are required to take reasonable and appropriate security measures to protect personal information from unauthorized access. Further, companies are responsible for the practices of vendors and service providers that may have access to such data. Companies whose customers and employees’ personal information has been exposed on P2P networks may be in violation of these obligations.
FTC Business Guidance
As part of its notification effort, the FTC has provided companies with new business guidance on protecting personal information entitled Peer-to-Peer File Sharing: A Guide For Business. This guidance offers tips for businesses when considering the security implications of using P2P file sharing technology on company networks including: (1) a description of P2P file sharing program; (2) identification of security risks presented by P2P file sharing programs; (3) steps to protect sensitive information from unauthorized or unintentional disclosure on P2P file sharing programs; and (4) various security and safeguarding techniques to employ, depending on whether the company intends to prohibit or permit the use of P2P file sharing programs.
What this Means for Organizations
If your organization has received a notice letter from the FTC indicating that the Commission discovered personal information about your organization’s customers or employees on a P2P file sharing network, you should fully investigate the potentially unauthorized disclosure of information, take immediate steps to secure your system, and assess whether your current information security program could benefit from further enhancements in light of current risks and threats to data. You also should carefully examine whether this disclosure triggers any legal obligation to notify your customers or employees of the incident, and take steps to provide notice if appropriate. The FTC has clearly indicated through this effort and other recent actions that it is closely monitoring the information security practices of organizations. Businesses would be wise to take this warning seriously and take proactive steps in response.