Holes in local governments’ IT security leak personal data
In February, the Federal Trade Commission (FTC) notified almost 100 organizations, including several local governments, that sensitive data about customers and/or employees had been shared from the organizations’ computer networks on peer-to-peer (P2P) file-sharing networks. The breach, which was likely accidental, could put hundreds of people at risk for identity theft and fraud.
P2P technology can be used in many ways, such as to play games, make online telephone calls, and share music, video and documents, according to the FTC. But, when P2P file-sharing software — such as Kazaa, WinMX and Overnet — is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network. “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ licenses and social security numbers — the kind of information that could lead to identity theft,” says FTC Chairman Jon Leibowitz.
The Gramm-Leach-Bliley Act and Section 5 of the FTC Act require most companies to take reasonable and appropriate security measures to protect sensitive personal information. Failure to prevent such information from being shared to a P2P network may violate such laws. The FTC also recommended that the entities notify affected customers and employees that their information is available on P2P networks. “Many states and federal regulatory agencies have laws or guidelines about notification,” the FTC said in its press release.
Larger cities and counties do not appear to be experiencing data security problems with P2P networks, says Public Technology Institute Executive Director Alan Shark, but smaller governments with less staff and older computer systems may be less aware of the problem. “Most of the newer systems are much more sophisticated than some of the old ones, and that’s where a lot of the abuses came from,” Shark says.
The FTC brochure “Peer-to-Peer File Sharing: A Guide for Business” aims to assist businesses and others as they consider whether to allow file-sharing technologies on their networks, and explain how to safeguard sensitive information on their systems. Download it at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm. Tips for consumers about computer security and P2P can be found at www.onguardonline.gov/topics/p2p-security.aspx.