The FTC has announced two recent settlements with companies who are alleged to have illegal exposed sensitive personal information of their customers by allowing peer to peer file-sharing software to be installed on their corporate computer systems.
One of the settlements was with the Georgia automobile dealership Franklin’s Budget Car Sales, Inc., also known as Franklin Toyota/Scion, of Statesboro, Georgia.
The FTC alleged that Franklin failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.
The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information.
Enforcement actions such as this point up the serious implications of inadequate (or non-existent) data privacy and security policies. This is an area of the law which is drawing ever-increasing scrutiny from regulatory agencies. Businesses need to take the handling of personal information very seriously and ensure that it not only has developed but also implemented appropriate polices and procedures concerning the gathering, storage, protection, and destruction of such information.