A Utah-based debt collection agency has settled charges brought by the Federal Trade Commission that it exposed sensitive information on its computers and networks to security risks by failing to implement reasonable security measures.
EPN Inc., doing business as Checknet Inc., failed to assess potential risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies - such as scanning its networks to identify any operational P2P file-sharing applications, according to the FTC.
The failure to implement reasonable and appropriate data security measures, according to the FTC, was an unfair practice that violated federal law. As a result, EPN's chief operating officer was able to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network, the FTC alleged.
EPN is based in Provo, Utah. The agency's clients have included health care providers, commercial credit organizations and retailers.
The settlement order bars misrepresentations about the privacy, security, confidentiality and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years.
P2P technology can be used in many ways, including playing games, making online telephone calls, and - through P2P file-sharing software - sharing music, video and documents. But it also can pose data security risks.
A 2010 FTC study of P2P-related breaches uncovered a wide range of sensitive consumer data available on P2P networks - including health-related information, financial records and driver's license and Social Security numbers.
Files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. Generally, a file that has been shared cannot be permanently removed from the P2P network. Files also can be shared among computers long after they have been deleted from the original source computer.
