FTC seeks extensive information from firms being investigated for P2P breaches

Firms asked to submit technology, process-related information dating back to 2007

Several companies being investigated by the Federal Trade Commission for inadvertently exposing customer and employee data on peer-to-peer (P2P) networks, have been asked by the agency to submit extensive information on their data-collection, usage and protection practices.

A redacted copy of a request for such information, which the FTC sent to a company that's under investigation, was obtained by Computerworld. It showed the agency is seeking information, dating back to mid-2007, on a wide-range of technology and process-related topics.

For instance, the FTC is asking for detailed information on the types of personal information being collected by the company, the purpose for which it is being used, and how the data is collected, shared and stored.

The letter seeks "detailed descriptions" on how the company compiles, maintains and stores personal information, as well as "high-level diagrams setting out the flow paths" of personal information from source to the point of use.

The company is also required to identify by name, location and operating system every computer that is used to collect and store personal information. In addition, it is required to provide a "narrative" or a blueprint that describes network components in minute detail, down to individual firewalls and routers, and even database tables and field names containing personal data.

The FTC is also requiring any information the company has about its knowledge of the data leaks. The details sought include who knew about the breaches, when, what attempts the company made to inform affected individuals, and why P2P software was allowed to be installed on a company system.

The FTC's 12-page Civil Investigative Demand (CID) letter, which Computerworld viewed, is essentially a federal subpoena that signals the start of a full-fledged federal investigation of a company.

Earlier this week, the FTC announced that it had launched "non-public" investigations against an undisclosed number of companies after discovering they had leaked sensitive personal information on P2P networks.

The companies were targeted for the investigation following a broad FTC probe, during which the agency discovered confidential data from scores of companies available publicly on file-sharing networks.

The data discovered by the FTC included health-related information, financial records, driver's license and Social Security numbers, and other sensitive information belonging to customers and employees at many companies.

In addition to the formal investigations against several companies, the FTC said it had also sent out letters notifying about 100 other companies regarding sensitive and confidential data from their networks being found on publicly available P2P networks.

The notification letters urged the targeted companies to review their security controls and warned them that the data leaks could be putting them in violation of laws enforced by the FTC.

The agency's moves signal what is seen as a long overdue crackdown against companies leaking data on P2P networks. Over the past two years there have been a number of instances of government agencies, businesses and healthcare organizations inadvertently exposing large amounts of personal data as a result of someone improperly installing P2P software on a computer containing the data.

The leaks, some of which have been spectacular, have grabbed the attention of lawmakers, who late last year introduced two bills in Congress aimed at curbing the problem.

The FTC's move shows that the agency is finally exerting its enforcement muscle, said Robert Bobak, CEO of Tiversa Inc., a Cranberry Township, Pa.-based provider of P2P network monitoring services.

"We were happy to see that the FTC [has] finally started recognizing that P2P is a main source for criminals to gain access to consumer's personally identifiable information for ID theft and fraud," Boback said. Complying with the FTC's request for information could prove to be an "extensive and cumbersome" task for the affected companies, he said.

Between 2001 and last year, the FTC initiated about 25 enforcement actions in total over data breaches involving personal data, Boback said. That fact that they have now contacted over 100 companies in just the past month is unprecedented and underlines the seriousness with which it is viewing the problem, Boback said.

Boback said Tiversa has uncovered as many as 28 million Social Security numbers on P2P networks while performing services for customers. "There are currently thousands of companies that could be receiving letters as the confidential data present remains staggering," he said.

He has testified several times before Congress on the problem of inadvertent data leaks on file-sharing networks, and his company has exposed numerous sensational P2P data breaches over the past few years.

A crackdown by the FTC against those involved in such breaches could benefit companies such as Tiversa, which help businesses figure out if they are leaking protected data on P2P networks. In fact, 14 of the companies contacted by the FTC over the leaks have already contacted Tiversa for help, Boback said.

"All but two of those have CIDs," he said, adding that complying with the FTC's request for information could prove to be an "extensive and cumbersome" task for the affected companies. "We have confirmed through the companies that have contacted us, that the breaches involve several hundred thousand consumers in total, so far."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon