Following a public comment period, the Federal Trade Commission has accepted as final a settlement with a debt collection agency it charged with illegally exposing the sensitive personal information of thousands of consumers by allowing peer-to-peer file-sharing software to be installed on its corporate computer system.
The settlement with Utah-based debt collector EPN, Inc. will bar misrepresentations about the privacy, security, confidentiality, and integrity of any personal information collected from consumers. The company also must establish and maintain a comprehensive information security program.
The FTC initially announced the settlement in June. The FTC alleged that EPN, Inc. – doing business as Checknet, Inc. — a debt collector based in Provo, Utah, failed to implement reasonable security measures for personal information on its computers and networks. As a result of these failures, EPN’s chief operating officer was able to install P2P file-sharing software on her EPN desktop, which, in 2008, caused a file containing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.
According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.
“This was an unfortunate incident that was immediately corrected,” said Jessica Devenish, CEO of Checknet. “Since, we have learned considerably in terms of improving our security and infrastructure and stand behind our model today. We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind.”
The company also noted that the incident that led to the FTC complaint was a one-time, isolated event that involved a limited number of records of one particular client. The client contacted Checknet in April 2008 to tell them that the file was available on a P2P network. Checknet immediately removed the P2P network access from the computer.
The settlement in a separate case with the same allegations was also finalized. The FTC charged that auto dealer Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, of Statesboro, Georgia, compromised consumers’ personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.