FCC Enters Consumer Data Security Realm, Plans $10M Fine Against Phone Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Brandon Ross

Oct. 24 — The Federal Communications Commission announced Oct. 24 its plans to fine two phone companies a combined $10 million for failing to protect their customers' personal data online.

The case is “the Commission's first data security case and the largest privacy action in the Commission’s history,” the FCC said in an Oct. 24 statement.

The two companies, TerraCom Inc. and YourTel America Inc., which share some management and ownership, violated two provisions of the Communications Act, FCC Enforcement Bureau Chief Travis LeBlanc said during an Oct. 24 media briefing call.

“Section 222(a) of the Communications Act imposes a duty on carriers to protect the confidentiality of the proprietary information of their customers,” LeBlanc said. “And Section 201(b) prohibits carriers from engaging in unjust and unreasonable practices.”

He added: “We are looking at the data security practices of telecommunications carriers.”

The action represents the FCC's second major privacy action in two months. In September, the commission announced that Verizon Communications Inc. had agreed to pay $7.4 million to resolve charges that it failed to notify new wireline customers that they could opt out of letting the company use their personal information to market them services, at the time the largest customer privacy settlement the regulator had ever reached.

305,000 Individuals Affected

TerraCom and YourTel, which provide discounted phone service to low-income individuals, collected the Social Security numbers, dates of birth, driver's license information, incomes and names of their customers and then stored the information online in a manner accessible to anyone, LeBlanc said during the media briefing.

“When the companies discovered that their unsecured Internet servers had been accessed by unauthorized persons from around the world, the companies did not notify every consumer whose personal information was stored in the unsecured folders,” LeBlanc said.

The FCC said the personal information of 305,000 people was exposed as a result of the unsecured data storage.

“Their data security practices lacked ‘even the most basic and readily available technologies and security features' ” and therefore created “ ‘an unreasonable risk of unauthorized access,' ” the FCC's statement said.

Dissenting Statements

Although FCC Chairman Tom Wheeler and Commissioners Mignon Clyburn and Jessica Rosenworcel voted for the notice of apparent liability (NAL) against the two companies, Commissioners Ajit Pai and Michael O'Rielly dissented in separate statements, saying it lacks legal basis and likely won't stand up under judicial scrutiny.

“The government cannot sanction you for violating the law unless it has told you what the law is,” Pai's statement said. “An agency cannot at once invent and enforce a legal obligation. Yet this is precisely what has happened here.”

The FCC has never previously stated that the Communications Act requires carriers to “employ reasonable data security practices,” nor has the commission previously mandated that carriers notify all consumers of a breach of their personal information, Pai said.

“The Commission never identifies in the entire Notice of Apparent Liability a single rule that has been violated,” Pai said. The FCC should have gone through the standard rulemaking process and received public comment to give the agency a chance to make clear and thoughtful rules, he said.

But because none of those actions was taken, “the Commission runs afoul of the fair warning rule,” Pai said. “I cannot support such ‘sentence first, verdict afterward' decision-making.”

O'Rielly's statement echoed similar concerns. He said that “while I am troubled that sensitive information about Lifeline subscribers was exposed to the public, I cannot support an NAL that exceeds our authority and comes without fair notice to the companies involved.”

Consumer Group Reaction

Consumer advocacy group Public Knowledge commended the commission's planned action and said consumers, especially low-income ones, are forced to share their highly sensitive information online and need to be able to trust carriers to reasonably protect their information.

“Public Knowledge applauds the Commission for this, the second major enforcement action the Commission has taken to protect telecommunications consumers’ privacy in as many months,” Public Knowledge staff attorney Laura Moy said in an Oct. 24 statement.

According to the FCC's statement, the notice of apparent liability will be released at a later date.

Meanwhile, the FCC announced Oct. 28 that it had joined the Global Privacy Enforcement Network as one of two U.S. agencies—the other being the Federal Trade Commission—that are members of the group.

To contact the reporter on this story: Brandon Ross in Washington at bross@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

Pai's dissenting statement is available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1024/FCC-14-173A4.pdf.

O'Rielly's dissenting statement is available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A5.pdf.