The Federal Trade Commission has warned approximately 100 organizations that their private customer and employee data is being shared on peer-to-peer networks. Businesses need to review and change their security policies to protect such information, the FTC says.
"The Federal Trade Commission has notified almost 100
that personal information, including sensitive data about customers
and/or employees, has been shared" from their computers
via peer-to-peer networks, the FTC said in a release Feb. 22.
"In the notification
[PDF] the agency urged the entities to review their security
practices"-as well as the practices of any "contractors and vendors"
they do business with-"to ensure that they are reasonable, appropriate
and in compliance with the law.
"Companies should take a hard look at their systems to ensure that
there are no unauthorized P2P file-sharing programs and that authorized
programs are properly configured and secure," FTC Chairman Jon Leibowitz said
in a statement. "Just as [importantly], companies that distribute P2P
programs, for their part, should ensure that their software design does not
contribute to inadvertent file sharing."
According to the FTC, "Failure to prevent ... [personal] information
from being shared to a P2P network may violate" data
privacy and security mandates
included in laws such as the
Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade
Commission Act. Besides the 100 organizations it has contacted, "The
agency also has opened nonpublic investigations of other companies whose
customer or employee information has been exposed on P2P networks," the
"What makes this case difficult from an enterprise standpoint is that
many of the organizations were probably not aware that their employees were
using P2P technologies and putting their data at risk," opined Steve Hurn,
CEO of database security vendor Secerno. "With
most IT departments understaffed, securing data has become difficult. Many
organizations do not know which person or application is accessing data.
Without that knowledge and associated built-in protection, they cannot ensure
that sensitive data will not be accessed.
"The challenge for these organizations will be notifying those
affected, and dealing with the fallout from investigating agencies and
compliance organizations," Hurn added.
While the FTC did not specifically name the organizations it notified, the
agency said it sent notices to "both private and public entities,
including schools and local governments," and that some had "as few
as eight employees" while others had "tens of thousands."
"Unfortunately, companies and institutions of all sizes are vulnerable
to serious P2P-related breaches, placing consumers' sensitive information at
risk," Leibowitz said. "For example, we found health-related
information, financial records, and drivers' license and social security
numbers-the kind of information that could lead to identity theft."
The FTC also said, "To help businesses manage the security risks
presented by file-sharing software, the FTC is releasing new [educational]
that present the risks and recommend ways to manage them."
Some tips for consumers
can be found here.