The FTC issued a statement earlier this week regarding its distribution of warning letters to around 100 organizations that have had “sensitive” customer and/or employee data shared on P2P file sharing networks. The agency made clear that although the recipients of the letters are not necessarily the focus of pending legal action, the fact that sensitive data now resides on these P2P networks means that organizations “may” have violated laws enforced by the FTC, including the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, among others.
Organizations receiving the letters ranged from governments to private businesses. “We found health-related information, financial records, and drivers’ license and social security numbers – the kind of information that could lead to identity theft”, warned Jon Leibowitz, FTC Chairman.
A press release issued by the FTC noted that P2P file sharing software, when not configured correctly, could allow unauthorized access to files by anyone on the network. The FTC would go on to provide these organizations with links to resources to address the issue, including its new business education brochure: Peer-to-Peer File Sharing: A Guide for Businesses.
“If not configured properly, Kazaa, LimeWire, and other P2P file-sharing networks can scoop up files on your computer that you would probably prefer the whole world didn’t have access to”, said Graham Cluley, senior technology consultant at security vendor Sophos. “There are now cybercriminal gangs who scavenge the file-sharing networks, hunting for sensitive work documents such as financial records and social security numbers.”
The FTC said that recipients of the letters should consider informing customers and employees if their data were made available on a P2P network, but it is not requiring such action at this point. According to the notices sent this week: “The fact that a company received a letter does not mean that the company necessarily violated any law enforced by the Commission. Letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction.”
For now, the FTC is leaving it up to each organization to determine if they are in violation of any particular federal or state law, and proper notification and rectification steps are, at this point, at their discretion.