FCC Settles Its First Foray Into Data Security

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lydia Beyoud

July 9 — The Federal Communications Commission ended its first-initiated data security case with a July 9 announcement that it had settled with two telephone companies for $3.5 million, well below a proposed $10 million sanction.

TerraCom Inc. and YourTel America Inc., which participated in the Lifeline government subsidized mobile phones program for low-income individuals, agreed to the civil penalty to end the commission's investigation into their failure to protect customer proprietary network information under Section 201 and 222 of the Communications Act of 1934. The companies share some management and ownership.

The cases were initiated in October 14, 2014, as the FCC's “first data security case and the largest privacy action in the Commission’s history”, moving into enforcement territory long held solely by the Federal Trade Commission.

The FCC's action to regulate data security wasn't unanimously supported. Commissioners Ajit Pai and Michael O'Rielly dissented in separate statements, saying the commission lacked the legal basis to act on the matter and that its action likely wouldn't stand up under judicial scrutiny. With the settlement, the validity of those objections won't be tested in this case.

The data security settlement is not the largest that the FCC has reached since entering into the area. In April, AT&T Service Inc. agreed to record $25 million data breach fine due to actions of call center contractors in Colombia, Mexico and the Philippines accessing U.S. consumer data for purposes of selling the information to third parties to unlock mobile devices.

Contractor Data Breach 

TerraCom and YourTel America used a third-party vendor that stored information on more than 300,000 customers in clear, unencrypted text on publicly accessible servers, the FCC said. The companies’ failure to provide reasonable protection resulted in a data breach that exposed personal customer information to unauthorized individuals, the agency said in its consent decree.

“Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” FCC Enforcement Bureau Chief Travis LeBlanc said in a July 9 statement. “It is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine.”

The settlement will ensure that the companies take concrete steps to improve their security practices and prevent similar breaches from happening again, LeBlanc said.

In addition to the civil penalty, the companies will have to notify all customers whose information was subject to unauthorized access, provide free credit monitoring services and implement additional information security measures, the FCC said.

Unlike the common practice at the FTC of entering into no fault settlements with companies charged with lax data security practices, the companies in the FCC consent agreement admit liability for violating the Communications Act.

Mandated Improvements 

Under the consent agreement, the companies agreed to improve their privacy and data security by:

• each appointing a senior corporate manager that is a certified privacy professional as a compliance officer;

• conducting a privacy risk assessment;

• implementing a written information security program;

• maintaining reasonable oversight of third party vendors;

• implementing a data breach response plan; and

• providing privacy and security awareness training to employees.

 

The companies must also submit regular compliance reports to the FCC for three years.

To contact the reporter on this story: Lydia Beyoud in Washington at lbeyoud@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The consent decree is available at https://apps.fcc.gov/edocs_public/attachmatch/DA-15-776A1.pdf.