The Federal Trade Commission announced this week it notified nearly 100 organizations that they had improperly released sensitive information via peer-to-peer (P2P) networks and that failure to maintain control of that information may have violated one of the several consumer protection laws the agency enforces. Those laws include the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act, among others.
The organizations that received letters from the FTC run the gamut: businesses, non-profits, schools, charitable organizations, and they have anywhere from eight to more than 10,000 employees, according to the agency Web site, and the information they released is now available to anyone who accesses the peer-to-peer sites.
InformationWeek quotes FTC Chairman Jon Leibowitz this way:
Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.
However, writer Thomas Claiburn points out, just because a company received a letter does not mean it is indeed guilty of violating federal law. It just means that sensitive information is now available on P2P networks, which makes its individual owners vulnerable to identity theft and fraud. The agency indicates it will let the organizations decide how best to comply with state and industry data breach notification laws if they have not already done so.
In conjunction with its findings, the FTC has also released an informational guide for businesses on P2P security.