4 years after fact, Feds slap Provo firm’s hand
Security • Regulators say it’s not too late to cite debt collector for release of data.
Published: June 14, 2012 09:00PM
Updated: June 14, 2012 06:35PM

No harm and only a minor foul, a Provo company is crying, after federal regulators came down on it for a security breach of customer information — four years after it happened.

EPN Inc., a debt-collection company that operates under the name Checknet, has entered into an agreement with the Federal Trade Commission that requires it to follow certain procedures to protect its data for the next 20 years.

Last week, the commission released a complaint and the agreement it had reached with EPN over the accidental release of information that contained personal data from 3,800 consumers, such as name, address, Social Security numbers, employer and the number of their health insurance policy.

But that security faux pas took place in 2008, after a co-owner of the 40-year-plus operation had installed a peer-to-peer (P2P) program on her computer that shoveled a file out into the P2P network.

Jessica Devenish, president and CEO of EPN, said Thursday that none of the shared data resulted in an identity theft or other problems for consumers. In fact, she said, the FTC didn’t even know until 2010 that P2P software could pose a security hazard.

“The incident that led to the FTC complaint was a one-time, isolated event that involved a limited number of records pertaining to one particular client,” Devenish said. “No identity theft, no material harm and no fraud has occurred as a result of the incident. Four years later … no evidence of harm remains.”

Jessica Lyon, an FTC attorney, said the case was part of an FTC emphasis on citing companies that allow data breaches of consumer information. In 2010, it notified about 100 companies about data security problems, she said.

“It’s an issue we want to call attention to and to make sure businesses are thinking about the types of information they are holding and really giving some serious thought to where risks to that information might crop up,” said Lyon.

The same day the FTC released its complaint about EPN, it also cited a Georgia car dealer for allowing P2P software to be installed on its computer system, which allowed outside access to information on 95,000 consumers.

In its complaint against EPN, the FTC said the company had failed to adopt an information security plan, nor did it adequately train employees about security and did not have in place methods to prevent or detect unauthorized access to personal information.

As part of its agreement with the FTC, the company agreed to follow security standards and will do regular audits to ensure safe data storage.

“Although no harm was done, it was still an error,” said Devenish, who added that the incident had “strengthened our resolve to look into the nooks and crannies of our operation, find weakness and make corrections.”