FTC Finds Sensitive Data Leaked from Organizations to P2P Networks

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

The Federal Trade Commission announced on February 22 that it has notified nearly 100 organizations that personal information emanating from the organizations' computer networks had been shared and was available on peer-to-peer (P2P) file-sharing networks where it could be accessed and used to commit identity theft or fraud. The information included sensitive data about customers and/or employees.

Notices Sent to Private, Public Entities

The notices went to both private and public entities, including schools and local governments, the agency said. Entities contacted ranged in size from businesses with as few as eight employees to publicly-held corporations employing tens of thousands. The agency also said it opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks.

The notification letters urged the entities to review their security practices—and. if appropriate, the practices of contractors and vendors—to ensure that they are reasonable, appropriate, and in compliance with the law. The agency posted samples of the letters (Letter A, Letter B, and Letter C), which advise recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

The FTC warned that failure to prevent such information from being shared to a P2P network may constitute a violation of law, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” said FTC Chairman Jon Leibowitz.

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” Leibowitz counseled.

Notification of Customers, Employees

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses notification responsibilities in these circumstances, the agency noted.

Text of the announcement appears here on the FTC website.

To help businesses manage the security risks presented by file-sharing software, the FTC released a new business education brochure, “Peer-to-Peer File Sharing: A Guide for Business,” describing the risks and recommend ways to manage them.

Further information about the FTC’s privacy and data security enforcement actions can be found here.