A Toyota dealership in Georgia has been accused by the Federal Trade Commission of compromising consumer data through the use of peer-to-peer file-sharing software.
Franklin's Budget Car Sales Inc., also known as Franklin Toyota-Scion of Statesboro, Ga., failed to adopt reasonable security measures to protect consumers' personal information, the agency said.
As a result, information for 95,000 consumers -- including names, addresses, Social Security numbers, dates of birth and driver's license numbers -- were uploaded to a peer-to-peer network.
The charges against Franklin Toyota-Scion are the FTC's first action against an auto dealer for violations of Gramm-Leach-Bliley, the agency said in a June 7 statement. The 1999 law controls how financial institutions collect, handle and secure an individual's private information.
Franklin's security failures violated the Gramm-Leach-Bliley Safeguards Rule, as well as Section 5 of the FTC Act, the agency found.
Franklin also violated the Gramm-Leach-Bliley Privacy Rule by allegedly failing to provide annual privacy notices and to provide a mechanism for consumers to opt out of information-sharing with third parties, the agency said.
The FTC has proposed a settlement agreement with Franklin that will bar misrepresentation about the privacy, security, confidentiality and integrity of personal information collected from consumers.
Dan Cook, Franklin's vice president, said the FTC charges stemmed from a mid-2008 incident in which an employee downloaded consumer data files onto a flash drive and took them home to work on them using his home computer.
The home computer contained the peer-to-peer software that triggered the breach. None of the dealership's computers ever were loaded with the peer-to-peer software, Cook said.
The FTC did not say whether the privacy breach at Franklin resulted in identity-theft problems for any of the 95,000 consumers whose information was exposed.
Cook said the 95,000 consumers cited by the FTC were not all separate people. Some entries were repeated several times, he said, making the total number of people whose information was shared "probably less than half that total." And in many cases, the entries just included names, addresses and ZIP codes and not the more sensitive Social Security numbers and dates of birth.
As best as the dealership can determine, no consumer's credit profile has been violated, Cook said.
But that doesn't make the breach any better, he said.
"It happened," Cook said. "I can't make that go away."
He said Franklin's experience should be a cautionary tale for other dealers.
"I've worked in this business for 37 years," Cook said. "I think it could happen at almost any dealership unless they were aware of this particular case."
Franklin has cooperated with the FTC's investigation since early 2009, Cook said. Since then, Franklin has improved computer security, bolstered employee training and created a detailed computer and Internet policy manual.
"Our security is at least 10 times more strict as it was at that time," Cook said.
The FTC said the proposed settlement prohibits Franklin from violating the Gramm-Leach-Bliley Safeguards and Privacy rules. The settlement also requires Franklin to establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.
The settlement agreement is open to public comment through July 9, after which the agency will decide whether to make a proposed consent order final.
The National Automobile Dealers Association notified its members this week of the Franklin case. Dealers should evaluate their own operations for similar risks, said Paul Metrey, NADA's chief regulatory counsel for financial services, privacy and tax.
"When you review your consumer information safeguards programs, make sure you closely examine threats that can be presented by peer-to-peer file sharing, because that would be subject to this particular action," Metrey said.
Peer-to-peer file-sharing software can be used to share music, videos and documents. But files shared to peer-to-peer networks are then available to any computer user with access to that network.