The Federal Trade Commission (FTC) has brought two separate enforcement actions aimed at companies that improperly shared information over peer-to-peer (P2P) networks, putting, according to the FTC’s press release, the information of thousands of consumers at risk. In both cases, the respondents failed to secure their networks, which led to customers’ personal information being exposed. The FTC found in each case that these failures of security constituted unfair trade practices. Again, the FTC has provided business with clear roadmaps to what is, and what is not, acceptable information security.
EPN
EPN, Inc. is a debt collector based in Utah specializing in collecting hospital bills. According to the FTC’s complaint, EPN failed to implement many important business practices and failed to use reasonable methods to prevent, detect, and investigate unauthorized access to its networks. As a result, EPN’s chief operating officer was able to install P2P software, which caused a breach affecting approximately 3,800 hospital patients. The information accessed included each patient’s name, address, date of birth, Social Security number, employer name, employer address, health insurance number, and a diagnosis code. The FTC found these practices in violation of Section 5(a) of the FTC Act as an unfair act or practice.
Please see full publication below for more information.