was found in violation of the provisions of the Federal Trade Commission Act. practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computers and networks. Among other things, Respondent failed to: (a) Adopt an information security plan that was appropriate for its networks and the personal information processed and stored on them. For example, EPN did not have an incident response plan; (b) Assess risks to the consumer personal information it collected and stored online; (c) Adequately train employees about security to prevent unauthorized disclosure of personal information; (d) Use reasonable measures to assess and enforce compliance with its security policies and procedures, such as scanning networks to identify unauthorized peer-to-peer (“P2P”) file sharing applications and other unauthorized applications operating on the networks or blocking installation of such programs; and (e) Use reasonable methods to prevent, detect, and investigate unauthorized access to personal information on its networks, such as by adequately logging network activity and inspecting outgoing transmissions to the Internet to identify unauthorized disclosures of personal information. EPN’s chief operating officer was able to install a P2P application on her desktop computer, which was connected to EPN’s computer network…it was disabled in April 2008 when EPN was informed by a client that two files containing personal information about the client’s debtors were available on a P2P network (“breached files”).  ]]>