Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Lydia Beyoud
July 9 — The Federal Communications Commission ended its first-initiated data security case with a July 9 announcement that it had settled with two telephone companies for $3.5 million, well below a proposed $10 million sanction.
TerraCom Inc. and YourTel America Inc., which participated in the Lifeline government subsidized mobile phones program for low-income individuals, agreed to the civil penalty to end the commission's investigation into their failure to protect customer proprietary network information under Section 201 and 222 of the Communications Act of 1934. The companies share some management and ownership.
The cases were initiated in October 14, 2014, as the FCC's “first data security case and the largest privacy action in the Commission’s history”, moving into enforcement territory long held solely by the Federal Trade Commission.
The FCC's action to regulate data security wasn't unanimously supported. Commissioners Ajit Pai and Michael O'Rielly dissented in separate statements, saying the commission lacked the legal basis to act on the matter and that its action likely wouldn't stand up under judicial scrutiny. With the settlement, the validity of those objections won't be tested in this case.
The data security settlement is not the largest that the FCC has reached since entering into the area. In April, AT&T Service Inc. agreed to record $25 million data breach fine due to actions of call center contractors in Colombia, Mexico and the Philippines accessing U.S. consumer data for purposes of selling the information to third parties to unlock mobile devices.
TerraCom and YourTel America used a third-party vendor that stored information on more than 300,000 customers in clear, unencrypted text on publicly accessible servers, the FCC said. The companies’ failure to provide reasonable protection resulted in a data breach that exposed personal customer information to unauthorized individuals, the agency said in its consent decree.
“Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” FCC Enforcement Bureau Chief Travis LeBlanc said in a July 9 statement. “It is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine.”
In addition to the civil penalty, the companies will have to notify all customers whose information was subject to unauthorized access, provide free credit monitoring services and implement additional information security measures, the FCC said.
Unlike the common practice at the FTC of entering into no fault settlements with companies charged with lax data security practices, the companies in the FCC consent agreement admit liability for violating the Communications Act.
• each appointing a senior corporate manager that is a certified privacy professional as a compliance officer;
• conducting a privacy risk assessment;
• implementing a written information security program;
• maintaining reasonable oversight of third party vendors;
• implementing a data breach response plan; and
• providing privacy and security awareness training to employees.
The companies must also submit regular compliance reports to the FCC for three years.
To contact the reporter on this story: Lydia Beyoud in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
The consent decree is available at https://apps.fcc.gov/edocs_public/attachmatch/DA-15-776A1.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)