The Federal Trade Commission announced Thursday that Statesboro dealership Franklin Toyota/Scion has been charged with illegally exposing the personal information of thousands of customers over the Internet.
FTC officials allege that Franklin failed to implement proper security measures to protect consumers’ personal information and allowed the names, addresses, Social Security numbers, dates of births and driver’s license numbers of about 95,000 customers to be accessible through peer-to-peer, or P2P, file-sharing software installed on corporate computer systems.
An FTC news release states that sensitive financial information was uploaded to a P2P network as a result of Franklin’s allowing the software to be uploaded to its systems.
“The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information,” the release says. “(Franklin) also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information.”
Karen Jagielski, a senior attorney with the FTC, said the problem began with an employee error.
“One of Franklin’s employees inadvertently downloaded P2P software on Franklin’s computers, which allowed its computers to be accessed,” she said.
It is not known whether the information has fallen into other hands or exactly whose information became available.
A problem with uploading information to P2P software, Jagielski said, is that “once it is out there, it’s out there.”
“All of the information is potentially out there,” she said.
In response to charges, Franklin Auto reached an administrative settlement with the FTC.
The settlement will be public record for 30 days, to allow for public comment, before the commission can make the agreement final, Jagielski said.
“What the settlement requires is, it requires Franklin to provide an adequate security protection program, which will require them to do an assessment of current security practices,” she said. “They are required to do regular training of employees, assessments of potential security risks, audits of security systems and that sort of thing.”
According to the report, Franklin Auto must maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.
In reference to the charges and settlements, administrators for Franklin said people interested can view the news release, settlement and case materials posted online at www.ftc.gov/os/caselist/1023094/index.shtm.
A second business was also indicted in the report released Thursday.
The FTC alleged that EPN Inc., a debt collector based in Provo, Utah, whose clients have included health-care providers, commercial credit organizations and retailers, also failed to implement reasonable security measures and made personal information of customers available online.
A similar settlement to that reached between the FTC and Franklin Auto was reached in the EPN case.
Jeff Harrison may be reached at (912) 489-9454.