The Federal Communications Commission ("FCC") voted on
October 24, 2014 to pursue fines of $10 million against two
companies for alleged violations of laws protecting the privacy of
telephone customers' personal information. This is the second
major enforcement action the FCC has taken to protect consumer
privacy in the last two months, but it is the first time ever that
such a fine has been based on failures of data security rather than
failures to obtain consent or similar misuse of customer data. This
fine appears to extend the FCC definitively into the enforcement of
cybersecurity, a realm in which it has not previously taken a major
role.
According to an investigation by the FCC's Enforcement Bureau,
two wireless carriers—TerraCom and YourTel—allegedly
stored Social Security numbers, names, addresses, driver's
licenses, and other sensitive information belonging to their
customers on unprotected internet servers that anyone in the world
could access. This alleged breach made news last year when
journalists reported that they were able to access customer
information for TerraCom and YourTel that had been posted to the
website of a third-party call center operator that was under
contract to the companies. The FCC explained that these companies
allegedly breached the personal data of up to 300,000 consumers
through their lax data security practices and exposed those
consumers to identity theft and fraud.
In its first-of-a-kind data security enforcement order, the FCC
identifies an unusually wide range of statutory justifications for
the fine. The FCC cites the carriers' statutory duty to protect
customer data but also alleges "unjust and unreasonable
practice" for inadequately protecting the information and
failing to notify customers, as well as "deceptive and
misleading" representations contained in the two
companies' privacy policies.
The FCC's two Republican Commissioners dissented in the
decision, arguing that the FCC has never adopted rules specifically
prohibiting the types of data security failures alleged to have
been committed by the two carriers, and the FCC may lack statutory
authority to do so. FCC Chairman Thomas Wheeler responded to the
dissenting Commissioners, stating, "we do not need detailed ex
ante rules and regulations to know that this is simply
unacceptable."
The FCC's action follows a $7.4 million settlement in
September 2014 between the FCC and Verizon to close an FCC
investigation, without a finding of fault, regarding allegations
that Verizon misused the personal information of two million of its
customers to market other services without their consent or
notification of their privacy rights. Previous FCC actions focusing
on cybersecurity have taken the form of nonbinding recommendations,
such as a July 25, 2014 request for comment on the progress of
implementing cybersecurity best practices. Although the October 24
fine may be directly relevant only to companies that are involved
in the telecommunications industry and therefore under the
FCC's jurisdiction, this is one more indication that all U.S.
federal agencies are monitoring cybersecurity issues more closely
than ever.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.