|
(CIOZone) By Cara Garretson
The U.S. Federal Trade Commission announced this week that it has notified nearly 100 organizations that sensitive data about their customers and employees has been exposed on peer-to-peer file-sharing networks.
The agency was able to find sensitive information such as health data, drivers’ license, Social Security numbers and financial records -- all of which could lead to identity theft -- available online to any user of certain peer-to-peer file-sharing networks. It told recipients of the notifications (a sample of which can be read here) to scan their corporate networks for unauthorized use of peer-to-peer networks that could be causing these data leaks about their customers or employees.
“Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents,” said the FTC. “But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.” Examples of peer-to-peer networks are BearShare, LimeWire, KaZaa, eMule, Vuze, uTorrent and BitTorrent.
Among the notice recipients were public and private organizations including schools, governments, small businesses and large public corporations. The FTC also said that it has opened non-public investigations into companies in addition to these notice recipients that have customer or employee data openly available on peer-to-peer networks. It has also launched an educational campaign to help businesses manage the security risks brought about by the use of these file-sharing networks.
“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” said FTC chairman Jon Leibowitz in a statement. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.” The agency also advised that organizations review the practices of their business partners and service providers that could have access to sensitive customer or employee data.
The FTC also recommended that these companies identify the customers and employees whose data has been available on file-sharing sites and consider notifying them of the breach. While there is no federal law requiring organizations to notify individuals when a breach involving unauthorized access to their information has occurred, the majority of U.S. states have already enacted their own data-breach notification laws --some that come with criminal sentences for violators.
Failure to protect sensitive or personally identifiable information could violate the Gramm-Leach-Bliley Act as well as Section 5 of the FTC Act, officials said. However, the FTC stressed that just because it sent a notice to a company regarding data found on peer-to-peer networks doesn’t mean that organization has violated any FTC laws.
Trackback(0)
 |
in Deal Talk by 
TrackBack URI for this entry
Subscribe to this comment's feed
