The Federal Communications Commission (FCC) recently issued a Notice of Apparent Liability for Forfeiture proposing a $10 million penalty against TerraCom, Inc. and YourTel America, Inc. (collectively, the “companies”) for allegedly violating laws protecting consumers’ personal information. Specifically, the FCC alleged that the companies placed the personal data of up to 300,000 consumers at risk by storing Social Security numbers, names, addresses, driver’s licenses, and other proprietary information (PI) on unprotected Internet servers that “anyone in the world could access.”
The decision is the FCC’s first case involving data security. It is also informative as to the FCC’s current and evolving expectations with regard to carriers’ duties to protect sensitive consumer information, and it underscores the need for organizations in the communications sector to keep a close eye on both FCC and Federal Trade Commission (FTC) data privacy and security enforcement activity.
First, the FCC found that the companies apparently violated Section 222(a) of the Communications Act (the “Act”) for failing to protect the confidentiality of PI that consumers provided when applying for Lifeline telecommunications services. The FCC interpreted the term “proprietary information” in Section 222(a) to include personal data that customers expect carriers to keep private. The FCC also clarified that the scope of PI is broader than “confidential proprietary network information” (CPNI), and that a carrier’s duty to protect a consumer’s PI does not depend on that consumer becoming a subscriber of the carrier’s service. In the context of Lifeline telephone services, for instance, PI includes applicants’:
- First and last name;
- Home or other physical address;
- E-mail address or other online contact information, such as an instant messaging screen name that reveals an individual’s e-mail address;
- Telephone number;
- Social Security Number, tax identification number, passport number, driver’s license number, or any other government-issued identification number that is unique to an individual;
- Account numbers, credit card numbers, and any information combined that would allow access to the consumer’s accounts;
- Uniform Resource Locator or Internet Protocol address or host name that identifies an individual; or
- Any combination of the above.
In this case, the PI obtained by the companies was widely available on public websites and could be accessed through a basic Internet search. The FCC concluded that the storing of PI “in a publicly accessible folder on the Internet, without password protection or encryption, is the practical equivalent of having provided no security at all.”
Second, the FCC found that the companies’ failure to employ reasonable data security practices apparently violated Section 201(b) of the Act, which requires all practices in connection with interstate or foreign communication service to be “just and reasonable.” The FCC concluded that the companies’ data security practices were unjust and unreasonable because they: failed to employ even basic and readily available technologies and security features for protecting PI; and created an unreasonable risk of unauthorized access.
Third, the FCC found that the companies apparently violated Section 201(b) of the Act by misrepresenting their security measures to consumers. For instance, the companies disseminated privacy policies and statements on their websites that represented that they employ reasonable security measures to protect the PI of consumers who sign up for service. In light of the fact that no safeguards were actually in place, the FCC found these representations to be false, deceptive, and misleading to consumers.
Fourth, the FCC found that the companies apparently violated Section 201(b) of the Act by failing to notify all consumers whose personal information could have been breached by the companies’ inadequate data security policies. Although the companies told the FCC that they had notified all of the consumers of the security breach, the FCC concluded that they had only notified 35,129 of the 300,000 consumers whose data was exposed. The FCC also concluded that the “notification of anything less than all potentially affected consumers” is unjust and unreasonable in violation of Section 201(b).
Republican Commissioners Pai and O’Rielly dissented from the decision. Commissioner Pai noted that the companies did not have fair warning of the duties that they allegedly breached, indicating that the FCC was “at once invent[ing] and enforc[ing] a legal obligation.” He also stated that the FCC’s asserted base forfeiture “strains credulity” because Congress could not have intended such massive potential liability for “telecommunications carriers” but not other companies, and because such other companies recently paid far less for flouting “actual rules” in consent decrees with the Enforcement Bureau. Commissioner O’Rielly expressed skepticism at the FCC’s authority to act in this case, asserting that neither Section 222 nor Section 201(b) covers the companies’ conduct. He also agreed with Commissioner Pai that the FCC failed to provide “fair notice” that there could be liability for such conduct.