The FCC recently signaled its intention to move aggressively into the realm of data security regulation. On October 24, 2014, the agency released a Notice of Apparent Liability for Forfeiture (NAL), ordering two telecommunication companies to pay a combined $10 million forfeiture for failing to secure consumer’s personal information. This is the first time the FCC has attempted to regulate data security. After a decade of increasing FTC regulation in this area, companies must now prepare for FCC enforcement action as well.
The FCC’s recent action came after it was discovered that the two companies, TerraCom Inc. and YourTelAmerica Inc., had made 305,000 clients’ sensitive data available to the public. Data included Social Security numbers, scans of passports, and driver’s license information.
TerraCom and YourTel, jointly owned companies, participate in Lifeline, a federal program that provides subsidized phone service for low-income consumers. Both companies collect identifiable information, such as names, addresses, birthdates, and Social Security numbers, in order for consumers to prove that they qualify to participate. The companies collected this information and contracted with a third party to host and store it.
In April 2013, an investigative reporter notified the companies that there were holes in the security measures undertaken to protect the personal information provided by low-income applicants to the program. In fact, between March 24, 2013 and April 26, 2013, the reporter was able to access and download 128,066 proprietary records, which were available on public websites and located through a simple Google search. The Enforcement Bureau of the FCC independently confirmed that at least two applications containing personal information were openly available through search engines as late as June 30, 2014. Evidence also showed that a number of IP addresses from foreign countries, including Russia and China, accessed the data.
The FCC is pursuing an enforcement action by relying on a decades-old statute, Section 503(b)(1) of the Communications Act of 1934, which allows forfeiture penalties against any person who willfully or repeatedly fails to comply with any provision of the Act or any rule, regulation, or order from the Commission. The FCC specifically alleges four violations under sections 222(a) and 201(b) of the statute:
- Under section 222(a), the companies failed to protect the confidentiality of proprietary information that consumers provided for eligibility consideration. The agency claims that the security measures put in place lacked even the most basic features that would protect consumers’ proprietary information.
- The FCC alleges that the companies violated section 201(b) by not employing reasonable data security practices to protect consumers’ proprietary information. According to the NAL, the companies stored the information in clear, readable text that was accessible to anyone using simple search techniques, creating “an unreasonable risk of unauthorized access.”
- Further, the FCC maintains that TerraCom and YourTel violated section 201(b) by representing in their policies that they protected customers’ proprietary information. The federal agency asserted that the representations made in privacy policies were false, deceptive, and misleading.
- Lastly, the FCC contends that the companies engaged in unjust and unreasonable practice by failing to notify all customers whose proprietary information was likely breached. According to the NAL, TerraCom and YourTel only notified 35,129 of the more than 300,000 persons whose personal information was exposed. The FCC argued that notifying “anything less than all potentially affected customers” of the exposure was unjust and unreasonable.
Statements by the FCC Commissioners suggest that this may be the start of continued involvement by the agency in this area of regulation. The chairman of the Commission, Tom Wheeler, stated that the FCC, as the expert agency on communications networks, “cannot – and will not – stand idly by when a service provider’s lax data security practices expose the personal information of hundreds of thousands.” Another commissioner agreed, arguing that “[t]he Commission has a clear role to ensure that providers protect sensitive information.”
The NAL, however, was not unanimously agreed upon: two commissioners issued dissenting statements. Commissioner Ajit Pai focused on the lack of notice given to companies, pointing out that the Commission has never interpreted the Communications Act to impose an enforceable duty on carriers to employ data security practices to protect personal identity information. He argued that in this enforcement action the “Commission asserts that these companies violated novel legal interpretations and never-adopted rules.” The other dissenting voice, Commissioner Michael O’Rielly, made similar arguments regarding fair notice, and also asserted that the Communications Act “was never intended to address the security of data on the Internet.”
Some commentators have noted that the FCC may have decided to take action after a number of failed attempts by Congress to address the issue. In the last decade, the FTC has also moved into the realm of data security regulation, relying on its authority to police unfair and deceptive trade practices. While settlements in those cases are common, a few companies have recently challenged the agency’s allegations. Those companies have asserted that Section 5 of the Federal Trade Commission Act does not give the FTC the power to set data security standards for private companies and, even if it did, the regulatory agency had failed to give fair notice. These arguments echo the points raised by the dissenting commissions on the FCC, who may foresee a future judicial challenge to the agency’s recent actions.
While the companies have 30 days from the date of notice to seek a reduction in the fine, this action should serve as a warning sign for companies throughout the country regarding the need to assess and reevaluate practices regarding data protection. There is clear momentum behind increasing federal regulation of data security.
The full text of the NAL can be accessed here.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
