The FTC is raising the red flag over data breaches caused by P2P software.

A growing problem with the inadvertent disclosure of sensitive information through peer-to-peer (P2P)networks was exposed this week by the U.S. Federal Trade Commission (FTC). In a letter sent to almost 100 organizations, the agency raised the red flag that sensitive customer and employee information from those entities was being shared on public P2P networks where anyone could see it. It warned the organizations that the data could be used by unscrupulous parties to steal identities or perpetrate fraud.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” FTC Chairman Jon Leibowitz said in a statement.

“For example,” he continued, “we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft.”

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” he added. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC’s letter went to both public and private organizations ranging in size from as small as eight employees to publically traded companies with 10,000 or more workers.

Although receipt of the letter doesn’t mean that an organization has broken any laws, the agency cautioned recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.” It added that failure to prevent sensitive information from being shared on a P2P network could violate federal law.

It went on to note that if customer and employee confidential information was exposed on a P2P network, an organization should consider notifying the affected parties. In some cases, it added, such notification is required by state or federal law.

Along with the letter, the agency issued a business information brochure aimed at educating organizations about the dangers of P2P software. Titled “Peer-to-Peer File Sharing: A Guide for Business,” the publication offers an overview of the technology.

It explains what P2P software does and how it can jeopardize security. “People who use P2P file sharing software can inadvertently share files,” the publication warned. “They might accidentally choose to share drives or folders that contain sensitive information, or they could save a private file to a shared drive or folder by mistake, making that private file available to others.”

It also makes some recommendations to secure sensitive information on a network:

• Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved.
• Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information.
• Use appropriate file-naming conventions.
• Monitor your network to detect unapproved P2P file sharing programs.
• Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls.
• Train employees and others who access your network about the security risks inherent in using P2P file sharing programs.

The FTC isn’t the only one in Washington concerned about data breaches caused by P2P software. Congress has gotten in on the act, too. Last March, a bi-partisan trio of House members, Mary Bono Mack, R-Calif.; John Barrow, D-Ga.; and Joe Barton, R-Texas filed the “Informed P2P User Act.”

The bill makes it unlawful “for any person who is not an owner or authorized user of a protected computer to induce an owner or authorized user of the protected computer to make files from a protected computer available to another computer through a peer-to-peer file sharing program without:

“(1) immediately before program installation, providing conspicuous notice that the program allows files on the protected computer to be available for searching and copying by another computer and
obtaining informed consent to the installation; and

“(2) immediately before initial activation of a file sharing function of the program, providing conspicuous notice of which files are to be made available to another computer and obtaining informed consent.”

For the purposes of the proposed law, a “protected computer” is one “used by a financial institution or the federal government or which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a way that affects U.S. interstate or foreign commerce.”

The legislation passed the House in December and is currently before the Senate Committee on Commerce, Science, and Transportation.