EPN, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 35389-35391 [2012-14369]
Download as PDF
<![CDATA[
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
35389
EARLY TERMINATIONS GRANTED—Continued
[May 1, 2012 thru May 31, 2012]
20120836
G
20120843
G
20120845
20120849
G
G
20120834
G
20120838
G
20120842
G
20120851
G
20120852
20120853
20120854
G
G
G
20120857
G
05/30/2012 ............................................................
20120871
20120861
G
G
05/31/2012 ............................................................
20120812
G
05/29/2012 ............................................................
FOR FURTHER INFORMATION CONTACT:
Renee Chapman, Contact
Representative, or
Theresa Kingsberry, Legal Assistant,
Federal Trade Commission, Premerger
Notification Office, Bureau of
Competition, Room H–303, Washington,
DC 20580, (202) 326–3100.
By Direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2012–14256 Filed 6–12–12; 8:45 am]
BILLING CODE 6750–01–M
FEDERAL TRADE COMMISSION
[File No. 112 3143]
EPN, Inc.; Analysis of Proposed
Consent Order to Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before July 9, 2012.
ADDRESSES: Interested parties may file a
comment online or on paper, by
erowe on DSK2VPTVN1PROD with NOTICES
SUMMARY:
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
Danaher Corporation; VSS Monitoring, Inc.; Danaher Corporation.
Akira Holding Foundation; Imperial Sugar Company; Akira Holding Foundation.
Delta Air Lines, Inc.; Phillips 66; Delta Air Lines, Inc.
Energy Transfer Equity, L.P.; Sunoco, Inc.; Energy Transfer Equity, L.P.
Centre Capital Investors V, L.P.; FKA Distributing Co.; Centre
Capital Investors V, L.P.
Wells Fargo & Company; Merlin Group Holdings, LLC; Wells
Fargo & Company.
H.I.G. Capital Partners IV, L.P.; Madhavan K. Nayar; H.I.G. Capital Partners IV, L.P.
Crosstex Energy, L.P.; Energy Equity Partners, L.P.; Crosstex
Energy, L.P.
OCP Trust; Golfsmith International Holdings, Inc.; OCP Trust.
Nucor Corporation; ArcelorMittal S.A.; Nucor Corporation.
General Dynamics Corporation; IPW Holdings, Inc.; General Dynamics Corporation.
The Resolute Fund II, L.P.; Babcock International Group Inc.;
The Resolute Fund H, L.P.
Ajay Piramal; Providence Equity Partners V L.P.; Ajay Piramal.
Agilent Technologies, Inc.; EQT V (No.1) Limited Partnership;
Agilent Technologies, Inc.
Seagate Technology plc; Philippe Spruch; Seagate Technology
plc.
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write AEPN, File No. 112 3143’’
on your comment, and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
epnconsent, by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Jessica Lyon (202–326–2344), FTC,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 the Commission Rules
of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
PO 00000
Frm 00039
Fmt 4703
Sfmt 4703
Home Page (for June 7, 2012), on the
World Wide Web, at https://www.ftc.gov/
os/actions.shtm. A paper copy can be
obtained from the FTC Public Reference
Room, Room 130–H, 600 Pennsylvania
Avenue NW., Washington, DC 20580,
either in person or by calling (202) 326–
2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before July 9, 2012. Write AEPN, File
No. 112 3143’’ on your comment. Your
comment B including your name and
your state B will be placed on the public
record of this proceeding, including, to
the extent practicable, on the public
Commission Web site, at https://
www.ftc.gov/os/publiccomments.shtm.
As a matter of discretion, the
Commission tries to remove individuals’
home contact information from
comments before placing them on the
Commission Web site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
E:\FR\FM\13JNN1.SGM
13JNN1
erowe on DSK2VPTVN1PROD with NOTICES
35390
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential,’’ as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
epnconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write AEPN, File No. 112 3143’’ on your
comment and on the envelope, and mail
or deliver it to the following address:
Federal Trade Commission, Office of the
Secretary, Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580. If possible, submit your
paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before July 9, 2012. You can find more
information, including routine uses
permitted by the Privacy Act, in the
Commission’s privacy policy, at https://
www.ftc.gov/ftc/privacy.htm.
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from EPN, Inc.
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
The Commission’s proposed
complaint alleges that EPN, which does
business as Checknet, Inc., is a Utah
corporation that is in the business of
collecting debts for clients in a variety
of industries, including commercial
credit, retail, and healthcare. According
to the complaint, In conducting
business, EPN routinely obtains
information about its clients’ customers,
which includes, but is not limited to:
name, address, date of birth, gender,
Social Security number, employer
address, employer phone number, and
in the case of healthcare clients,
physician name, insurance number,
diagnosis code, and medical visit type.
The complaint further alleges that
EPN engaged in a number of practices
that, taken together, failed to provide
reasonable and appropriate security for
personal information on its computers
and networks. In particular, EPN failed
to: (1) Adopt an information security
plan that was appropriate for its
networks and the personal information
processed and stored on them; (2) assess
risks to the consumer personal
information it collected and stored
online; (3) adequately train employees
about security to prevent unauthorized
disclosure of personal information; (4)
use reasonable measures to assess and
enforce compliance with its security
policies and procedures, such as
scanning networks to identify
unauthorized peer-to-peer (‘‘P2P’’) file
sharing applications and other
unauthorized applications operating on
the networks or blocking installation of
such programs; and (5) use reasonable
methods to prevent, detect, and
investigate unauthorized access to
personal information on its networks,
such as by adequately logging network
activity and inspecting outgoing
transmissions to the Internet to identify
unauthorized disclosures of personal
information.
The complaint alleges that as a result
of these failures, an EPN employee was
PO 00000
Frm 00040
Fmt 4703
Sfmt 4703
able to install a P2P application on her
desktop computer, which was
connected to EPN’s computer network,
resulting in two files containing
personal information about a client’s
customers being made available on a
P2P network; other files containing
personal information may also have
been shared to P2P networks from that
computer. The breached files contained
personal information about
approximately 3,800 consumers,
including each consumer’s name,
address, date of birth, Social Security
number, employer name, employer
address, health insurance number, and
a diagnosis code. The complaint alleges
that such information, among other
things, can easily be used to facilitate
identity theft (which also could result in
medical histories that are inaccurate
because they include the medical
records of identity thieves) and exposes
sensitive medical data.
In fact, the presence of P2P software
on business computers can pose
significant data security risks. A 2010
FTC examination of P2P-related
breaches uncovered a wide range of
sensitive consumer data available on
P2P networks, including health-related
information, financial records, and
drivers’ license and Social Security
numbers. See Press Release, FTC,
Widespread Data Breaches Uncovered
by FTC Probe (Feb. 22, 2010), https://
www.ftc.gov/opa/2010/02/
p2palert.shtm. Files shared to a P2P
network are available for viewing or
downloading by any computer user with
access to the network. Generally, a file
that has been shared cannot be removed
permanently from the P2P network. In
addition, files can be shared among
computers long after they have been
deleted from the original source
computer.
According to the complaint, EPN’s
failure to employ reasonable and
appropriate measures to prevent
unauthorized access to personal
information caused, or is likely to cause
substantial injury to consumers that is
not offset by countervailing benefits to
consumers or competition and is not
reasonably avoidable by consumers.
Therefore, EPN’s practices were, and are
an unfair act or practice, in or affecting
commerce, in violation of Section 5(a) of
the Federal Trade Commission Act, 15
U.S.C. 45(a).
The proposed order contains
provisions designed to prevent EPN
from engaging in the future in practices
similar to those alleged in the
complaint.
Part I of the proposed order prohibits
misrepresentations about the privacy,
security, confidentiality, and integrity of
E:\FR\FM\13JNN1.SGM
13JNN1
Federal Register / Vol. 77, No. 114 / Wednesday, June 13, 2012 / Notices
any personal information collected from
or about consumers. Part II of the
proposed order requires EPN to
establish, implement, and thereafter
maintain a comprehensive information
security program, including the
designation of an employee to oversee
EPN’s security program, employee
training, and implementation of
reasonable safeguards. Part III of the
order requires EPN to obtain, for a
period of twenty years, biennial
assessments of its information security
program from an independent thirdparty professional possessing certain
credentials or certifications.
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. Part IV requires EPN to
retain documents relating to its
compliance with the order. For most
records, the order requires that the
documents be retained for a five-year
period. For the third party assessments
and supporting documents, EPN must
retain the documents for a period of
three years after the date that each
assessment is prepared. Part V requires
dissemination of the order now and in
the future to persons with
responsibilities relating to the subject
matter of the order. Part VI ensures
notification to the FTC of changes in
corporate status. Part VII mandates that
EPN submit a compliance report to the
FTC within 90 days, and periodically
thereafter as requested. Part VIII is a
provision ‘‘sunsetting’’ the order after
twenty (20) years, with certain
exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2012–14369 Filed 6–12–12; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 102 3094]
Franklin Budget Car Sales, Inc.;
Analysis of Proposed Consent Order
To Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
erowe on DSK2VPTVN1PROD with NOTICES
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
SUMMARY:
VerDate Mar<15>2010
14:45 Jun 12, 2012
Jkt 226001
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before July 9, 2012.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Franklin Auto Mall, File
No. 102 3094’’ on your comment, and
file your comment online at https://
ftcpublic.commentworks.com/ftc/
franklinautomallconsent, by following
the instructions on the Web-based form.
If you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Karen Jagielski (202–326–2509), FTC,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and 2.34 the Commission Rules of
Practice, 16 CFR 2.34, notice is hereby
given that the above-captioned consent
agreement containing a consent order to
cease and desist, having been filed with
and accepted, subject to final approval,
by the Commission, has been placed on
the public record for a period of thirty
(30) days. The following Analysis to Aid
Public Comment describes the terms of
the consent agreement, and the
allegations in the complaint. An
electronic copy of the full text of the
consent agreement package can be
obtained from the FTC Home Page (for
June 7, 2012), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm. A
paper copy can be obtained from the
FTC Public Reference Room, Room 130–
H, 600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before July 9, 2012. Write ‘‘Franklin
Auto Mall, File No. 102 3094’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
PO 00000
Frm 00041
Fmt 4703
Sfmt 4703
35391
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential,’’ as provided in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
franklinautomallconsent by following
the instructions on the web-based form.
If this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Franklin Auto Mall, File No. 102
3094’’ on your comment and on the
envelope, and mail or deliver it to the
following address: Federal Trade
Commission, Office of the Secretary,
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\13JNN1.SGM
13JNN1
]]>Agencies
[Federal Register Volume 77, Number 114 (Wednesday, June 13, 2012)]
[Notices]
[Pages 35389-35391]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-14369]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 112 3143]
EPN, Inc.; Analysis of Proposed Consent Order to Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before July 9, 2012.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write AEPN, File No. 112
3143'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/epnconsent, by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex
D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Jessica Lyon (202-326-2344), FTC,
Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreement containing a consent order to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, has been placed on the public record for a
period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for June 7, 2012), on the World Wide Web, at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue NW., Washington, DC
20580, either in person or by calling (202) 326-2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before July 9, 2012.
Write AEPN, File No. 112 3143'' on your comment. Your comment B
including your name and your state B will be placed on the public
record of this proceeding, including, to the extent practicable, on the
public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include
[[Page 35390]]
any ``[t]rade secret or any commercial or financial information which
is obtained from any person and which is privileged or confidential,''
as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC
Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include
competitively sensitive information such as costs, sales statistics,
inventories, formulas, patterns, devices, manufacturing processes, or
customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/epnconsent by following the instructions on the web-based form. If
this Notice appears at https://www.regulations.gov/#!home, you also may
file a comment through that Web site.
If you file your comment on paper, write AEPN, File No. 112 3143''
on your comment and on the envelope, and mail or deliver it to the
following address: Federal Trade Commission, Office of the Secretary,
Room H-113 (Annex D), 600 Pennsylvania Avenue NW., Washington, DC
20580. If possible, submit your paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before July 9, 2012. You can find more information,
including routine uses permitted by the Privacy Act, in the
Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from EPN, Inc.
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
The Commission's proposed complaint alleges that EPN, which does
business as Checknet, Inc., is a Utah corporation that is in the
business of collecting debts for clients in a variety of industries,
including commercial credit, retail, and healthcare. According to the
complaint, In conducting business, EPN routinely obtains information
about its clients' customers, which includes, but is not limited to:
name, address, date of birth, gender, Social Security number, employer
address, employer phone number, and in the case of healthcare clients,
physician name, insurance number, diagnosis code, and medical visit
type.
The complaint further alleges that EPN engaged in a number of
practices that, taken together, failed to provide reasonable and
appropriate security for personal information on its computers and
networks. In particular, EPN failed to: (1) Adopt an information
security plan that was appropriate for its networks and the personal
information processed and stored on them; (2) assess risks to the
consumer personal information it collected and stored online; (3)
adequately train employees about security to prevent unauthorized
disclosure of personal information; (4) use reasonable measures to
assess and enforce compliance with its security policies and
procedures, such as scanning networks to identify unauthorized peer-to-
peer (``P2P'') file sharing applications and other unauthorized
applications operating on the networks or blocking installation of such
programs; and (5) use reasonable methods to prevent, detect, and
investigate unauthorized access to personal information on its
networks, such as by adequately logging network activity and inspecting
outgoing transmissions to the Internet to identify unauthorized
disclosures of personal information.
The complaint alleges that as a result of these failures, an EPN
employee was able to install a P2P application on her desktop computer,
which was connected to EPN's computer network, resulting in two files
containing personal information about a client's customers being made
available on a P2P network; other files containing personal information
may also have been shared to P2P networks from that computer. The
breached files contained personal information about approximately 3,800
consumers, including each consumer's name, address, date of birth,
Social Security number, employer name, employer address, health
insurance number, and a diagnosis code. The complaint alleges that such
information, among other things, can easily be used to facilitate
identity theft (which also could result in medical histories that are
inaccurate because they include the medical records of identity
thieves) and exposes sensitive medical data.
In fact, the presence of P2P software on business computers can
pose significant data security risks. A 2010 FTC examination of P2P-
related breaches uncovered a wide range of sensitive consumer data
available on P2P networks, including health-related information,
financial records, and drivers' license and Social Security numbers.
See Press Release, FTC, Widespread Data Breaches Uncovered by FTC Probe
(Feb. 22, 2010), https://www.ftc.gov/opa/2010/02/p2palert.shtm. Files
shared to a P2P network are available for viewing or downloading by any
computer user with access to the network. Generally, a file that has
been shared cannot be removed permanently from the P2P network. In
addition, files can be shared among computers long after they have been
deleted from the original source computer.
According to the complaint, EPN's failure to employ reasonable and
appropriate measures to prevent unauthorized access to personal
information caused, or is likely to cause substantial injury to
consumers that is not offset by countervailing benefits to consumers or
competition and is not reasonably avoidable by consumers. Therefore,
EPN's practices were, and are an unfair act or practice, in or
affecting commerce, in violation of Section 5(a) of the Federal Trade
Commission Act, 15 U.S.C. 45(a).
The proposed order contains provisions designed to prevent EPN from
engaging in the future in practices similar to those alleged in the
complaint.
Part I of the proposed order prohibits misrepresentations about the
privacy, security, confidentiality, and integrity of
[[Page 35391]]
any personal information collected from or about consumers. Part II of
the proposed order requires EPN to establish, implement, and thereafter
maintain a comprehensive information security program, including the
designation of an employee to oversee EPN's security program, employee
training, and implementation of reasonable safeguards. Part III of the
order requires EPN to obtain, for a period of twenty years, biennial
assessments of its information security program from an independent
third-party professional possessing certain credentials or
certifications.
Parts IV through VIII of the proposed order are reporting and
compliance provisions. Part IV requires EPN to retain documents
relating to its compliance with the order. For most records, the order
requires that the documents be retained for a five-year period. For the
third party assessments and supporting documents, EPN must retain the
documents for a period of three years after the date that each
assessment is prepared. Part V requires dissemination of the order now
and in the future to persons with responsibilities relating to the
subject matter of the order. Part VI ensures notification to the FTC of
changes in corporate status. Part VII mandates that EPN submit a
compliance report to the FTC within 90 days, and periodically
thereafter as requested. Part VIII is a provision ``sunsetting'' the
order after twenty (20) years, with certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Richard C. Donohue,
Acting Secretary.
[FR Doc. 2012-14369 Filed 6-12-12; 8:45 am]
BILLING CODE 6750-01-P
