The Federal Communications Commission (FCC) settled with TerraCom, Inc. and its affiliate YourTel America, Inc. on violations of the Federal Communications Act of 1934. The FCC says the companies failed to protect the confidentiality of personal information they collected from over 300,000 customers.
The telecommunications carriers collected data on consumers for the purpose of verifying their eligibility for the Lifeline program – a government-sponsored program designed to provide discounted phone services to low-income individuals. The application process required potential customers to provide personal information: names, addresses, Social Security numbers, date of birth, and driver’s license number.
From September 2012 to April 2013, the customer information was stored on third-party vendor servers in publicly accessible folders lacking password protection or encryption. The telecommunication carriers were notified of the glaring security holes, but failed to notify all potentially affected customers.
Section 222 of the Federal Communications Act requires telecommunications carriers to protect the confidentiality of customers’ proprietary information. This generally applied to data referred to as customer proprietary network information (CPNI): phone numbers called, frequency of times called, and duration of calls.
In this case, the FCC applied the Act’s protections to all types of information that should not be exposed widely to the public. They determined that all of the information submitted by applicants fell under the scope of proprietary information. This creates a broad standard and greatly expands the scope of personal information telecommunications carriers must protect.
Section 201(b) of the Act prohibits telecommunications carriers from engaging in any unjust and unreasonable practice. The FCC says that a carrier’s data security practices fall under Section 201.
In this case, the FCC concluded that TerraCom and YourTel violated Section 201 by:
- Lacking basic security measures to protect the privacy of consumers’ proprietary information
- Misrepresenting security practices to consumers
- Failing to notify affected consumers who could have been harmed
This is the FCC’s first settlement in a data security case. The telecommunications carriers are subject to a $3.5 million fine. Other provisions of the settlement include notifying all consumers whose information was at risk to unauthorized access and providing credit monitoring to all affected individuals. TerraCom and YourTel must also improve their security practices by implementing a written information security plan and data breach response plan while maintaining tighter supervision and due diligence of vendors.
The FCC is showing a similar approach to privacy and data security enforcement actions as the FTC. These regulatory agencies are taking more actionable steps in requiring companies to maintain appropriate steps in protecting sensitive customer data.
This case along with the recent $25 million Consent Decree settled with AT&T demonstrate the FCC’s increasing involvement in the data security field.