New Sheriff in Town: FCC Expands Its Reach to Data Security

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By John C. Richter, Christopher C. Burris, Alexander K. Haas and John A. Drennan

John C. Richter is a partner in King & Spalding LLP's Special Matters and Government Investigations practice in Washington.

Christopher C. Burris is a partner in the firm's Special Matters and Government Investigations practice in Atlanta.

Alexander K. Haas is counsel in the Business Litigation practice group of King & Spalding in Washington.

John A. Drennan is counsel in the firm's Appellate Law practice in Washington.

The authors are grateful for significant assistance they received in preparing this article from S. Stewart Haskins II, a partner in the King & Spalding's Atlanta office, and Bethany Rupert and James L. Michaels, associates in the firm's Atlanta office.

The Federal Communications Commission (FCC) entered the data security enforcement field in October, levying a $10 million fine against two telecommunications companies for failing to secure and protect their customers' personal information.  This is first time the FCC has usedits authority to levy fines based on inadequate data security, and it has uncovered a divergence of views within the FCC about the agency's own enforcement authority. While FCC Enforcement Bureau Chief Travis LeBlanc has been quoted as saying that the fine “will not be the last,” two FCC commissioners issued sharply worded dissents from the FCC's decision, openly questioning the agency's authority act in the data security enforcement area. Given the clear significance of data security to today's business world, these developments must be watched closely.

FCC Imposes $10 Million Fine on TerraCom and YourTel America

By a 3-2 vote, the FCC decided to assess a $10 million fine on TerraCom Inc. and YourTel America Inc. for placing the personal data of up to 305,000 consumers at risk by storing Social Security numbers, names, addresses, driver's license information and other sensitive consumer information on Internet servers that were accessible to the general public.  According to the FCC, TerraCom and YourTel, which share the same owners and management, collected data on consumers to demonstrate eligibility for the FCC's Lifeline program, which is a universal service fund program that provides inexpensive phone services to low-income individuals.  Although the companies claimed to have “technology and security features [in place] to safeguard the privacy of [ ] customer specific information from unauthorized access,” the customer information the companies collected was allegedly accessible to the public through the Internet between September 2012 and April 2013.  When reporters from the Scripps Howard News Service found these personal records with a simple Google search, they notified theFCC.  After being informed of the security lapse, TerraCom and YourTel allegedly failed to notify all potentially affected customers, depriving them of the opportunity to protect their personal information.

The FCC held that the companies' alleged failure to secure personal information constituted a violation of the companies' duty under Section 222(a) of the Communications Act (the Act) to protect such information, as well as an unjust and unreasonable practice in violation of Section 201(b) of the Act, “given that their data security practices lacked even the most basic and readily available technologies and security features and thus create[d] an unreasonable risk of unauthorized access.”  Section 503(b)(1) empowers the FCC to order forfeiture penalties for violations of the Act, but does not specify the base forfeiture level for violations. Here, the FCC found that a base forfeiture of $29,000 per violation was appropriate, and because TerraCom and YourTel stored personal information for over 300,000 customers, the FCC noted that it could have fined the companies $9 billion. In view of the “extent and gravity of the circumstances,”  the FCC instead decided to impose a fine of $10 million. This is the largest privacy action in the FCC's history,  but as Enforcement Bureau Chief LeBlanc explained, “[w]hen [telecommunications companies] break [the trust of their consumers], the [FCC] will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”

The FCC Commissioners Dissent

Two FCC commissioners disagreed with the FCC's decision and forfeiture penalty. The dissenting commissioners argued that the FCC does not have authority to enforce data security regulations because no one, including the FCC, has ever interpreted the Act to enforce a duty on telecommunications carriers to protect personally identifiable information (PII). Although Section 222(a) imposes a duty on carriers to protect “proprietary information,” one dissent argued that Section 222(b) and (c) limited that duty to protecting “consumer proprietary networkinformation” (CPNI) from marketing use and disclosure to third parties.  CPNI is generally defined as phone-call-related data, such as the phone numbers called and the frequency, duration and timing of such calls; on the other hand, PII encompasses personal information that can be used on its own or with other information to identify, contact or locate a person, or to identify an individual in context. Although the FCC's decision defined Section 222(a)’s “proprietary information” to include PII,  one dissenting commissioner emphasized that Section 222(a) should be interpreted in accordance with the other sections of the Act that restrict the use of CPNI, and that CPNI cannot be equated with PII. According to the dissenter, because Section 222(a) of the Act does not apply to PII, that section “was never intended to address thesecurity of data on the Internet.”  By imposing “never-adopted rules” that greatly broaden the reach of the Act, another dissenting commissioner stressed, the FCC ran “afoul of the fair warning rule” of due process.

The FTC and the FCC have long acknowledged an overlap between their spheres of authority, specifically as it relates to privacy and telecommunications companies.

One of the dissenting commissioners also noted that “it strains credulity to think that Congress intended” penalties as massive as $9 billion for telecommunications carriers, but not for other businesses that handle PII.  Such enormous potential penalties are particularly egregious, argued the commissioner, considering that the FCC has penalized the same companies only hundreds of thousands of dollars for multiple violations of actual substantive rules promulgated by the FCC.

The FTC and Data Privacy and Security Enforcement at the Federal Level

The FCC commissioners' dissenting statements highlight the fact that, at the federal level, data privacy and security enforcement has long been primarily the domain of the FTC, with certain industry-specific authority held by other regulatory agencies. The FTC's general authority toregulate consumer data privacy and security issues stems from Section 5(a)(1) of the FTC Act, which restricts “unfair or deceptive” trade practices —although the FTC also has enforcement authority with respect to other, more targeted privacy laws, such as: (1) the Gramm–Leach–Bliley Act (GLB Act), (2) the Fair Credit Reporting Act (FCRA) and (3) the Children's Online Privacy Protection Act (COPPA).

Although the FTC has various means of regulating data privacy and security practices, the FTC and the FCC have long acknowledged an overlap between their spheres of authority, specifically as it relates to privacy and telecommunications companies. For example, in 2006 the FTC appeared before the Oversight and Investigations Subcommittee of the House Committee on Energy and Commerce to discuss the issue of “pretexting”—the practice of obtaining unauthorized access to consumer telephone records through deceit.  During the hearing, the FTC stated that it “work[ed] closely” with the FCC to bring five cases against entities engaged in pretexting because the FCC “has jurisdiction over telecommunications carriers subject to the Communications Act.”>  More recently, in a comment filed by the FTC with the FCC regarding the regulation of Internet broadband providers, the FTC stated, “[t]he FTC welcomes the opportunity to share its experience promoting consumer privacy and data security with the FCC and looks forward to working with the FCC to ensure a consistent, efficient, and effective approach to enforcement and oversight in the broadband area.”  At the same time, although the FCC has primary regulatory authority over telecommunications carriers, the FTC has not shied away from bringing actions against those carriers for alleged unfair or deceptive business practices. For example, the FTC has taken action against a number of mobile carriers, alleging that they engaged in “cramming”—the illegal practice of subtly adding extraneous charges, typically from unauthorized third parties, into customers' telephone bills.

The FCC's Regulatory Authority to Protect Consumer Privacy

While the FCC's actions in the TerraCom and YourTel matter relied on Sections 222(a) and 201(b) of the Act, those actions should also be examined in the context of the FCC's other, more clearly delineated authority to protect consumer privacy. Specifically, the FCC has authority under the Telecommunications Act of 1996, which amended the Communications Act, to regulate how telecommunications companies protect CPNI. Furthermore, the FCC has authority under the Telephone Consumer Protection Act (TCPA) to regulate how all companies—not just telecommunications companies—utilize telecommunications systems to interact with customers (e.g., by making phone calls or sending faxes). Under both of these privacy protection regimes, the FCC's authority and the scope of the conduct prohibited is clearly laid out instatute and/or regulation—in notable contrast to the FCC's purported authority to regulate data security practices.

The Telecommunications Act of 1996, and the regulations promulgated pursuant to it, define what safeguards telecommunications companies must put in place to prevent the improper release of CPNI.  These safeguards include CPNI training requirements for employees and the implementation of supervisory review processes to ensure the security of CPNI. Other provisions dictate that telecommunications providers must obtain a customer's approval to use that customer's personal information in marketing activities; providers obtain this approval either by asking the customer to affirmatively “opt in” to marketing use or by sending the customer a written notice about how the company intends to use the customer's information and giving the customer the ability to “opt out.” Recently, the FCC brought an action against a major mobile carrier, Verizon Communications Inc., alleging that the company violated the FCC's CPNI regulations when it used call-related personal information from nearly 2 million subscribers to target them for advertising without their consent.  The FCC specifically alleged that Verizon failed to inform its customers of how to opt out of having their call-related personal information used in marketing campaigns. The FCC claimed that Verizon, despite becoming aware of the opt-out issue in September 2012, did not notify the agency of the issue until January 2013. InSeptember 2014, Verizon agreed to pay $7.4 million to settle the case, which at the time was the largest payment in a telephone

The TCPA prohibits the use of telephonic equipment in a variety of ways and strictly regulates the use of automated telephone dialing systems, pre-recorded calls and fax machines; the TCPA also grants the FCC the authority to issue implementing regulations further defining what telecommunications activity is permissible.  For example, under the TCPA, it is unlawful for anyone to make any non-emergency call to a cellular telephone using an automated telephone dialing system without the prior express consent of the called party. The FCC has construed the statutory term “call” as including text messages.  For calls (or text messages) that are promotional in nature, the FCC requires the written consent of the called party.  Companies that send promotional messages in this manner typically store the called party's written consent electronically together with other information about the call, such as the date and time.  This information must be stored in an electronic or other medium that is retrievable and in perceivable form.  Recently, Jiffy Lube International Inc. settled a $47 million class action suit for allegedly sending a promotional text message to millions of consumers who had not consented to receive it.  Additionally, a number of major financial institutions have recently settled TCPA class actions in amounts ranging from $32 million to $75.5 million for allegedly using automated dialers to call or text customers' cellphones without their consent.

Where Do We Go From Here?

Although the FCC's CPNI regulations and the TCPA govern how companies use their customers' personal information, neither set of laws expressly grants the FCC the authority to regulate how telecommunications companies secure or store their customers' personal information; inother words, these laws do not expressly grant the FCC authority to regulate data security. As mentioned, the FCC claims that its authority for imposing the $10 million fine upon TerraCom and YourTel—and, implicitly, for regulating data security—is derived not from CPNI regulations or the TCPA, but from the Act, which specifically states in Section 222(a) that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers … .”  According to the FCC, the Act requires carriers to “take every reasonable precaution to protect the confidentiality” of their customers' information, and the FCC must “take resolute enforcement action to ensure that the goals of [the Act] are achieved.”

The FCC's recent actions pose a greater threat than those of the FTC to telecommunications carriers due to the FCC's ability to penalize a company immediately for a security defect.

The FTC has also attempted to expand the scope of its authority to regulate data security; it has done so by broadening its definition of the phrase “unfair” business practices as used in the FTC Act. In a recent case, Wyndham Worldwide Corp. argued that the FTC cannot regulate corporate security practices because it has not published rules governing cybersecurity standards that would provide adequate notice to companies of the standards to which they are being held —precisely the point made by the dissenting FCC Commissioners in the TerraCom and YourTel cases. The FTC responded that Wyndham's security practices constituted “unfair” acts or practices because they caused or were likely to cause substantial injury to consumers that the consumers could not reasonably avoid themselves.  The FCC may now be attempting toexpand the scope of its authority in a similar manner: broadening the definition of “duty to protect” and “proprietary information” in Section 222(a) of the Act.  In its order against TerraCom and YourTel, the FCC defines the “duty to protect” as a duty to protect customer personalinformation not just from misuse by the telecommunications carriers, but from misuse by anyone who obtains it from the carriers, even if they do so without the carriers' knowledge.  Furthermore, the FCC defines “proprietary information” as PII, rather than CPNI, greatly expanding the extent of information that telecommunications companies must protect.

The FCC's recent actions pose a greater threat than those of the FTC to telecommunications carriers due to the FCC's ability to penalize a company immediately for a security defect. Generally, when the FTC determines that a business practice is “unfair,” it issues a “cease and desist” order to the company before escalating the matter; if the company persists with the unfair practice, then the FTC may seek civil penalties from the company.  No such limitations exist for the FCC under the Act; once a company has been convicted of failing to protect the “confidentiality of proprietary information of [its] customers,” the FCC may impose a fine on the company without further steps or notice.  The FCC here calculated the fine for violations of the Communications Act by using a base forfeiture of $29,000 per violation—and because the FCC counts each personal record that is unprotected as a distinct violation, its fines are likely to be significant.

Conclusion

Regardless of whether any telecommunications companies challenge the FCC's enforcement of data security regulations as overly broad, telecommunications companies should expect continued scrutiny of their data security and other privacy practices, whether from the FCC or other regulators or authorities. That fact, along with the possibility of harsh FCC penalties, should encourage telecommunications companies to remain diligent in taking the steps necessary to reasonably protect all of their customers' personal information, whether PII, CPNI or otherwise.

   1

Notice of Apparent Liability for Forfeiture, In re TerraCom, Inc. and YourTel Am., Inc., FCC 14-173 (Oct. 24, 2014), available at  https://apps.fcc.gov/edocs_public/attachmatch/FCC-14-173A1.pdf.

2

See Brian Fung, With a $10 Million Fine, the FCC Is Leaping Into Data Security for the First Time, Wash. Post (Oct. 24, 2014), available at http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/24/with-a-10-million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/.

3

See Notice of Apparent Liability for Forfeiture, supra note 1, at 25–30.

4

Press Release, FCC, FCC Plans $10 Million Fine for Carriers That Breached Consumer Privacy (Oct. 24, 2014), available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-330136A1.pdf.

5

Id.

6

Id.

7

See Brian Fung, supra note 2.

8

Press Release, supra note 4.

9

Notice of Apparent Liability for Forfeiture, supra note 1, at 19.

10

See Press Release, supra note 4; Brian Fung, supra note 2.

11

See Press Release, supra note 4.

12

Notice of Apparent Liability for Forfeiture, supra note 1, at 27–29.

13

See 47 U.S.C. § 222(h)(1).

14

Notice of Apparent Liability for Forfeiture, supra note 1, at 7–8.

15

Id.

16

Id. at 27.

17

Id. at 25.

18

Id. at 26.

19

Id.

20

15 U.S.C. § 45(a)(1).

21

See Alden Abbott, The Federal Trade Commission's Role in Online Security: Data Protector or Dictator? The Heritage Found., Legal Memorandum #137 on Legal Issues (Sept. 10, 2014), available at http://www.heritage.org/research/reports/2014/09/the-federal-trade-commissions-role-in-online-security-data-protector-or-dictator#_ftn8. The FTC's Safeguards Rule, which it adopted pursuant to the GLB Act, requires non-bank financial institutions to develop and maintain comprehensive data security programs “to protect the security, confidentiality, and integrity of customer information.” 16 C.F.R. § 314.1(a). The FCRA requires consumer reporting agencies to use reasonable precautions to ensure that they disclose sensitive consumer information only to permissible entities; the FCRA also obliges entities that maintain consumer report information to dispose of that information in a safe manner. See 15 U.S.C. §§ 1681e, 1681w. COPPA regulates the collection of personal information from children through a website or online service; specifically, COPPA empowers the FTC to oversee website or online operators that collect personal information from children and to require that those operators obtain parental consent “for the collection, use, or disclosure of [that] information.” 15 U.S.C. § 6502(b)(1)(A)(ii); see 15 U.S.C. §§ 6501–6506; see also 16 C.F.R. pt. 312 (COPPA Rule).

22

Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?, Statement Before the Subcomm. on Oversight and Investigations of the H. Comm. on Energy and Commerce, 109th Cong. (Sept. 29, 2006) (prepared statement of the Fed. Trade Comm'n), available athttp://www.ftc.gov/sites/default/files/documents/public_statements/prepared-statement-federal-trade-commission-internet-data-brokers-and-pretexting/p065409internetdatabrokers09292006.pdf .

23

Id. at 5 n.13 (citing the Telecommunications Act of 1996 “which amended the Communications Act, and accordingly [ ] afforded privacy protections [to consumer telephone records] by the regulations under that Act. See 42 U.S.C. § 222; 47 C.F.R. §§ 64.2001–64.2009.”).

24

Comment of the FTC, In re Inquiry Concerning the Deployment of Advanced Telecommunications Capability, FCC GN Dkt. No. 14-126 (Sept. 22, 2014) at 12, available at http://www.ftc.gov/system/files/documents/advocacy_documents/federal-trade-commission-comment-federal-communications-commission-regarding-privacy-security/140919privacybroadband.pdf .

25

See, e.g., Press Release, FTC, AT&T to Pay $80 Million to FTC for Consumer Refunds in Mobile Cramming Case (Oct. 8, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/10/att-pay-80-million-ftc-consumer-refunds-mobile-cramming-case.

26

See 47 U.S.C. § 222; 47 C.F.R § 64.2009.

27

See Press Release, FCC, Verizon to Pay $7.4M to Settle Privacy Investigation (Sept. 3, 2014), available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-329127A1.pdf.

28

Id.

29

See 47 U.S.C. § 227.

30

In re Rules and Regs. Implementing the Telephone Consumer Protection Act of 1991, 18 FCC Rcd. 14014, 14115 (2003), available at http://digital.library.unt.edu/ark:/67531/metadc4033/m1/501/.

31

See In re Rules and Regs. Implementing the Telephone Consumer Protection Act of 1991, 27 FCC Rcd. 1830, 1844 (Feb. 15 2012) (2012 FCC Order), available at http://digital.library.unt.edu/ark:/67531/metadc94251/m1/922/.

32

Presumably, telecommunications companies are required to protect the electronic records of these written consents either under the FCC's CPNI requirements or other FTC “business practice” requirements.

33

15 U.S.C. § 7006(4), (9).

34

Lana Birbrair, CORRECTED: Jiffy Lube Franchisee to Pay up to $47M to Settle Spam Text MDL, Law360 (Aug. 2, 2012), available at http://www.law360.com/articles/366217/corrected-jiffy-lube-franchisee-to-pay-up-to-47m-to-settle-spam-text-mdl.

35

Bank of America $32M TCPA Settlement Receives Final Approval, but Fees Reduced, 13 Bloomberg BNA Privacy & Sec. L. Rep. 1556 (Sept. 8, 2014) Katie W. Johnson, Debt Collectors' $75M Improper Calls Class Gains Preliminary OK in Largest Settlement, 13 Bloomberg BNA Privacy & Sec. L. Rep. 1414 (Aug. 11, 2014) .

36

47 U.S.C. § 222(a) (emphasis added).

37

Notice of Apparent Liability for Forfeiture, supra note 1, at 6, para. 13 & nn. 30–31 (citing Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd. 6927, 6959–60 (2007)).

38

See Katie W. Johnson, Impending Wyndham Ruling Leaves Some Questioning FTC's Enforcement Power, 12 Bloomberg BNA Privacy & Sec. L. Rep. 1465 (Sept. 2, 2013); see also Thomas O'Toole and Katie W. Johnson, FTC's Unfairness Authority Upheld in Wyndham Data Security Litigation, 13 Bloomberg BNA Privacy & Sec. L. Rep. 619 (Apr. 14, 2014).

39

See id.

40

See 47 U.S.C. § 222(a).

41

See Notice of Apparent Liability for Forfeiture, supra note 1, at 11.

42

Id. at 7–8, 10–11.

43

Memo, A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement Authority, Section II: Enforcement Authority (Fed. Trade Comm'n Revised July 2008), available at http://www.ftc.gov/about-ftc/what-we-do/enforcement-authority.

44

See 47 U.S.C. § 501.

45

Notice of Apparent Liability for Forfeiture, supra note 1, at 19.