FCC Settles First Data Security Enforcement Action

fcc logoThe Federal Communications Commission (FCC) settled with TerraCom, Inc. and its affiliate YourTel America, Inc. on violations of the Federal Communications Act of 1934. The FCC says the companies failed to protect the confidentiality of personal information they collected from over 300,000 customers.

Breach Details

The telecommunications carriers collected data on consumers for the purpose of verifying their eligibility for the Lifeline program – a government-sponsored program designed to provide discounted phone services to low-income individuals. The application process required potential customers to provide personal information: names, addresses, Social Security numbers, date of birth, and driver’s license number.

TerraCom and YourTel’s privacy policy claimed to have technical safeguards to protect the privacy of customer information from unauthorized access. However, the companies stored the personal information of over 300,000 customers in clear, readable text on unprotected Internet servers that anyone could access.

From September 2012 to April 2013, the customer information was stored on third-party vendor servers in publicly accessible folders lacking password protection or encryption. The telecommunication carriers were notified of the glaring security holes, but failed to notify all potentially affected customers.

Section 222

Section 222 of the Federal Communications Act requires telecommunications carriers to protect the confidentiality of customers’ proprietary information. This generally applied to data referred to as customer proprietary network information (CPNI): phone numbers called, frequency of times called, and duration of calls.

In this case, the FCC applied the Act’s protections to all types of information that should not be exposed widely to the public. They determined that all of the information submitted by applicants fell under the scope of proprietary information. This creates a broad standard and greatly expands the scope of personal information telecommunications carriers must protect.

Section 201(b)

Section 201(b) of the Act prohibits telecommunications carriers from engaging in any unjust and unreasonable practice. The FCC says that a carrier’s data security practices fall under Section 201.

In this case, the FCC concluded that TerraCom and YourTel violated Section 201 by:

  • Lacking basic security measures to protect the privacy of consumers’ proprietary information
  • Misrepresenting security practices to consumers
  • Failing to notify affected consumers who could have been harmed

Settlement Details

This is the FCC’s first settlement in a data security case. The telecommunications carriers are subject to a $3.5 million fine. Other provisions of the settlement include notifying all consumers whose information was at risk to unauthorized access and providing credit monitoring to all affected individuals. TerraCom and YourTel must also improve their security practices by implementing a written information security plan and data breach response plan while maintaining tighter supervision and due diligence of vendors.

Key Takeaways

The FCC is showing a similar approach to privacy and data security enforcement actions as the FTC. These regulatory agencies are taking more actionable steps in requiring companies to maintain appropriate steps in protecting sensitive customer data.

This case along with the recent $25 million Consent Decree settled with AT&T demonstrate the FCC’s increasing involvement in the data security field.

Print Friendly, PDF & Email