FTC Warns of Data Breaches from P2P File Sharing

 
 
By Brian Prince  |  Posted 2010-02-23 Email Print this article Print
 
 
 
 
 
 
 

The Federal Trade Commission has warned approximately 100 organizations that their private customer and employee data is being shared on peer-to-peer networks. Businesses need to review and change their security policies to protect such information, the FTC says.

"The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared" from their computers via peer-to-peer networks, the FTC said in a release Feb. 22.

"In the notification letters, [PDF] the agency urged the entities to review their security practices"-as well as the practices of any "contractors and vendors" they do business with-"to ensure that they are reasonable, appropriate and in compliance with the law."

"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," FTC Chairman Jon Leibowitz said in a statement. "Just as [importantly], companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."

According to the FTC, "Failure to prevent ... [personal] information from being shared to a P2P network may violate" data privacy and security mandates included in laws such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act. Besides the 100 organizations it has contacted, "The agency also has opened nonpublic investigations of other companies whose customer or employee information has been exposed on P2P networks," the FTC said.

"What makes this case difficult from an enterprise standpoint is that many of the organizations were probably not aware that their employees were using P2P technologies and putting their data at risk," opined Steve Hurn, CEO of database security vendor Secerno. "With most IT departments understaffed, securing data has become difficult. Many organizations do not know which person or application is accessing data. Without that knowledge and associated built-in protection, they cannot ensure that sensitive data will not be accessed.

"The challenge for these organizations will be notifying those affected, and dealing with the fallout from investigating agencies and compliance organizations," Hurn added.

While the FTC did not specifically name the organizations it notified, the agency said it sent notices to "both private and public entities, including schools and local governments," and that some had "as few as eight employees" while others had "tens of thousands."

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," Leibowitz said. "For example, we found health-related information, financial records, and drivers' license and social security numbers-the kind of information that could lead to identity theft."

The FTC also said, "To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new [educational] materials that present the risks and recommend ways to manage them." Some tips for consumers can be found here.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Close
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel