FTC Hunting Down P2P Data Leaks
A few days ago the Federal Trade Commission (FTC) has formally announced that they have notified almost 100 organizations about sensitive information that they have identified on P2P file-sharing systems. This data includes “health-related information, financial records, and drivers’ license and social security numbers” that has been inadvertently released by these organization’s employees. The notices were sent to both public and private organizations, ranging from very small (8 employees) to very large public companies with thousands of employees. It is believed that this data was released mainly through the user’s misunderstanding on how to properly configure the P2P software. This resulted in all files on their systems to be shared.
Alain Sheer, an attorney with the FTC’s Bureau of Consumer Protection, was recently quoted on ComputerWorld as saying “that as part of the investigations, the FTC will collect information from each company to see if they may have violated data privacy laws. Generally, such investigations are the first step toward a formal compliant being lodged against a company by the FTC.”
We’ve seen similar stories to this in the past as well, including where the plans of the President’s helicopter, Marine One, were found on a P2P network from a contractor. So the big question is how are these companies going to address this issue? Is this simply a user who downloaded the P2P software, and installed it on a work computer without knowing better? This could be addressed (at least from a due diligence perspective) with improved company security policies and user awareness training – possibly even going so far as blocking P2P ports at the network level. But what if this is a result of employees bringing work home, and working on it on their home computers because of all of the company cutbacks during the down economy? Most companies are asking all of their employees to do more with less these days. In either case, it will be interesting to see how the FTC continues with these investigations and what, if anything, will the organizations outside of the purview of the FTC do about these notices?
All in all, it goes to show how good security policies, that are well implemented, and backed with strong user awareness training should be a fundamental building block for any company – regardless of size, or number of employees.
Additional information from the FTC can be found here:
