FTC Charges First Dealer With GLB Privacy Violations
The Federal Trade Commission reached settlements with a dealer and a software company after the federal regulator charged them with exposing consumer information through peer-to-peer, file-sharing software.
WASHINGTON, D.C. — The FTC has charged two businesses, including Statesboro, Ga.-based Toyota Scion dealer, with illegally exposing the sensitive personal information of thousands of consumers by allowing peer-to-peer, file-sharing software to be installed on their corporate computer systems.
Settlements with the dealer and debt collection business, will bar misrepresentations about their privacy, security, confidentiality, and integrity of any personal information. Both companies must also establish and maintain comprehensive information security programs.
The FTC charged that Statesboro, Ga.-based Franklin's Budget Car Sales Inc., also known as Franklin Toyota/Scion, compromised consumers' personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network.
Despite a privacy policy stating that customer information will only be viewed by employees who require the information to provide products and services, the dealership, according to the FTC’s complaint, allegedly failed to implement reasonable security measures to protect consumers' personal information. As a result, the complaint states, information for 95,000 consumers was made available on the P2P network. The information included names, addresses, Social Security numbers, dates of birth and driver's license numbers.
The agency charged that Franklin failed to assess risks to the consumer information it collected and stored online, and failed to adopt policies to prevent or limit unauthorized disclosure of information. It also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information.
Because Franklin is a financial institution, the alleged security failures violated the Gramm-Leach-Bliley (GLB) Safeguards Rule, as well as Section 5 of the FTC Act. Franklin also allegedly failed to provide annual privacy notices and provide a mechanism by which consumers could opt out of information sharing with third parties, a violation of the GLB Privacy Rule. This is the FTC’s first action against an auto dealer charging GLB violations.
The settlement agreement with Franklin will bar misrepresentations about the privacy, security, confidentiality, and integrity of personal information collected from consumers. It bars Franklin from violating the GLB Safeguards Rule and Privacy Rule. Under the settlement, Franklin Auto must also establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.
In a separate case, P2P technology’s usage came into question. The FTC found that P2P software can pose significant data security risks.A 2010 FTC examination of P2P-related breaches uncovered a wide range of sensitive consumer data available on P2P networks. Files shared to a P2P network are available for viewing or downloading by any computer user with access to the network. Generally, a file that has been shared cannot be permanently removed from the P2P network. In addition, files can be shared among computers long after they have been deleted from the original source computer.
The FTC alleged that EPN Inc., a debt collector based in Provo, Utah, failed to implement reasonable security measures for personal information on its computers and networks. The company’s clients include healthcare providers, commercial credit organizations and retailers.
As a result of these failures, EPN's chief operating officer was able to install P2P file-sharing software on the EPN computer system, causing sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients, to be made available to any computer connected to the P2P network. The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, such as scanning its networks to identify any P2P file-sharing applications operating on them, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks. According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.
The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information. It requires EPN to establish and maintain a comprehensive information security program. It also requires EPN to undergo data security audits by independent auditors every other year for 20 years.
The Commission voted 5-0 to accept the consent agreement packages containing the proposed consent orders for public comment. The FTC will publish a description of the consent agreement packages in the Federal Register. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 9, after which the Commission will decide whether to make the proposed consent order final.
More F&I

Trust Is Personal
Technology, no matter how efficient, can’t replace what the human F&I manager can do, which is to bridge the divide between cyberspace and the in-store experience.
Read More →
Amplify 2026 Billed as Turning Innovation Into Results
Reynolds and Reynolds says its annual retail summit will connect dealers with practical strategies, peer insight, and technology-driven ideas.
Read More →
Own Your Outcome: F&I in the Digital Customer Journey
Finance has historically been the last step in the car-buying process, but it doesn’t have to be. The customer’s journey starts long before they arrive at the dealership, and so should F&I’s involvement.
Read More →
Tariffs Could Raise Insurance Premiums
As U.S. import tariffs affect repair costs, consumers might find it more affordable to replace a damaged vehicle, according to recent Insurify tariff analysis.
Read More →
Smaller Loans, Longer Terms
The youngest generation of car buyers is more likely to finance less expensive vehicles, more than half of generation Z consumers borrowing less than $25,000.
Read More →
New Lifetime Battery F&I Product Meant to Drive Dealer Traffic
EFG Cos. offering is intended to create lifetime auto dealer engagement with customers.
Read More →
The Psychology Behind Menus That Increase Add-On Sales
There is a science to crafting a menu that gives customers confidence in the choices presented, and moving the process outside the F&I office can further boost results.
Read More →
Why Your F&I PVR Is Misleading You
Here’s a handy checklist of the numbers to track in 2026 instead.
Read More →
Auto Consumer Anxiety Presents Opportunity
A survey of U.S. drivers found the majority are concerned about finances and the economy, but those fears make many ready to buy vehicle-protection products.
Read More →
Humble and Hungry: 12 Rules for an F&I Life
Dustin Gingerich, with a decade in the F&I business under his belt, shares his thoughts on leadership, building trust with customers, and the importance of learning and innovation.
Read More →