FCC Seen Facing Court Challenge In New Posture as Cybersecurity Cop

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

Nov. 26 — The Federal Communications Commission's recent entry into the world of “ad hoc” cybersecurity enforcement—that is, without supporting regulations or settled statutory authority—reflects a significant shift in the agency's thinking that might eventually get challenged in court, industry attorneys told Bloomberg BNA.

At issue is a case in which the FCC, for the first time and without any prior warning, took the position that carriers are required under Section 201 of the Communications Act to employ “reasonable” data security practices and to notify consumers in the event of a breach.

“This is an unprecedented action by the commission,” said Steve Augustino, a partner at Kelley Drye & Warren LLP. “I think the approach will be challenged in the future.”

The FCC, in late October, issued a “notice of apparent liability” in which a fine of $10 million was assessed against telecommunications carriers TerraCom Inc. and YourTel America Inc. for failure to meet data security obligations while providing phone services to low-income consumers as part of a government program known as Lifeline. Sensitive details, such as Social Security numbers, were stored on unprotected Internet servers, exposing consumers to identity theft and fraud, according to the agency.

The companies were charged with “willful and repeated” violations of the Communications Act, including Section 201(b), which prohibits “unjust and unreasonable” practices. The commission also cited infractions related to Section 222(a), which requires carriers to protect the confidentiality of the “proprietary information” of their customers.

Republican Dissent

FCC Chairman Tom Wheeler joined two other Democratic commissioners, Mignon Clyburn and Jessica Rosenworcel, in approving the action. But Republicans Ajit Pai and Michael O'Rielly dissented, saying that the move was largely based on new legal theories that had not undergone a formal notice-and-comment rulemaking process, raising “fair notice” concerns.

The proposed penalty, which is subject to change depending on the companies' response, is the largest in the agency's history involving an alleged breach of consumer privacy, according to the FCC. The action demonstrates that FCC Enforcement Bureau Chief Travis LeBlanc, who joined the agency this year, is serious about tackling privacy and data security issues, attorneys told Bloomberg BNA.

“LeBlanc previously served under California Attorney General Kamala Harris on matters involving the protection of consumer privacy and cybersecurity, including the establishment of California's first high-tech crime and privacy enforcement units,” said Jamie Barnett, a partner at Venable LLP. “So, he's the new sheriff in town, clearly with the imprimatur of the chairman.”

Barnett added that FCC-regulated entities should review how they handle customer data, in preparation for increased enforcement activity.

In an Oct. 24 phone call with reporters, LeBlanc said the commission's action against TerraCom and Yourtel sends a “clear signal” that the agency will not tolerate conduct that puts U.S. consumers at risk of financial fraud and identity theft.

“While this is the first data security enforcement action that the commission has taken, it will not be the last,” he said.

Similar Approach at FTC

The case is reminiscent of the Federal Trade Commission's many data security actions under Section 5 of the FTC Act, which prohibits “unfair and deceptive” trade practices, lawyers said. Most of the FTC actions have been settled over the years, but the approach is currently being challenged by Wyndham Hotels and Resorts LLC and LabMD Inc.

“Much like we saw with the FTC in Wyndham and LabMD, I would not be surprised if someone eventually challenged the FCC's position,” said Mark Brennan, a partner at Hogan Lovells LLP. “However, some parties will instead prefer to enter into a consent decree with the FCC and avoid a court battle.”

Lisa Sotto, a partner at Hunton & Williams LLP, noted that the FCC, like the FTC, has drawn on statutory provisions that weren't written with data security in mind.

“The FCC is clearly taking a page or two from the FTC's playbook,” she said. “Companies regulated by the FCC would be wise to pay close attention to the last decade or so of FTC jurisprudence in this area.”

Regulatory Uncertainty

Brennan said the FCC will probably remain active in this area, although it remains to be seen whether the agency will continue to rely on an “ad hoc” enforcement approach or whether it will commence a rulemaking.

“Unlike the FTC, the FCC could have pursued a notice-and-comment rulemaking to cover these issues,” he told Bloomberg BNA. “Instead, carriers are now left to wonder what other hidden expectations the FCC enforcers may have.”

A spokeswoman for the FCC told Bloomberg BNA that administrative agencies such as the commission generally have the authority to decide whether to move forward through rulemaking or adjudication.

“In this case, we felt it was a sufficiently egregious violation of the parties' clear duty under the statute to protect the privacy of their customers' data that acting through an adjudication was entirely appropriate,” she said. “This does not foreclose our ability to adopt rules in the future.”

Augustino said he was particularly surprised by the FCC's use of Section 201(b) to impose liability for previously unstated data security obligations.

In addition, he said the commission seems to be interpreting “proprietary information” under Section 222(a) in a much broader way than in the past. “As a result, carriers may have a duty to protect information that is not, strictly speaking, within the ambit of the agency's existing customer proprietary network information (CPNI) rules,” he added. “That is an interpretation that will cause many carriers to go back to the drawing board in establishing their data protection policies.”

The dissenting statements from Republican commissioners Pai and O'Rielly, Sotto said, call to mind similar assertions used to challenge the FTC's authority.

Alleged Violations

According to the FCC's “apparent liability” notice, TerraCom and YourTel failed to take reasonable steps to protect Social Security numbers, names, addresses, and other sensitive information collected from low-income Americans to establish their eligibility for the Lifeline program.

From Sept. 30, 2012, through April 26, 2013, the companies stored thousands of Lifeline applications and supporting documents on a third-party vendor's servers, in two publicly accessible folders that lacked any password protection or encryption, according to the FCC.

The companies failed to deploy even the most basic and readily available technologies and security features to protect the data, constituting an “unjust and unreasonable” practice, the FCC said. Other alleged infractions included giving consumers false data security assurances online and failing to notify the full scope of individuals whose personal information ended up getting compromised.

“[T]he most sensitive, personal information of up to 305,000 Americans was available to anyone with an Internet connection anywhere in the world,” Wheeler said in a statement announcing the FCC action. “We do not need detailed ex ante rules and regulations to know this is simply unacceptable.”

`Novel Legal Interpretations.'

In his dissent, Pai said the commission should have pursued an open notice-and-comment rulemaking before taking such an action.

“[T]he Commission asserts that these companies violated novel legal interpretations and never-adopted rules,” Pai said. “And it seeks to impose a substantial financial penalty. In so doing, the Commission runs afoul of the fair warning rule. I cannot support such ‘sentence first, verdict afterward' decision-making.”

O'Rielly raised similar fair notice concerns, but went further, questioning whether the agency even has the authority to bring such a data security case under the Communications Act.

The FCC action was welcomed by consumer advocacy group Public Knowledge.

“The Communications Act gives the Commission broad authority to enforce some of the strongest federal privacy protections on the books, and this action leaves no question that it takes that authority seriously,” Public Knowledge staff attorney Laura Moy said in an Oct. 24 press release.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

The FCC notice can be found at: http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A1.pdf.