The Federal Communications Commission announced on October 24 its intention to fine two telecom companies $10 million for storing the personally identifiable information of more than 300,000 customers online without firewalls, encryption, or any protection. While the Federal Trade Commission routinely fines companies for data security failures, this is the Federal Communication Commission’s first data security enforcement action and, according to the press release, “the largest privacy action in the Commission’s history.”
The FCC alleges in a Notice of Apparent Liability for Forfeiture that the failure of the two wireless carriers, TerraCom, Inc. and Yourtel America, Inc., to protect the Social Security numbers and other personal information of their customers amounted to a violation of Sections 222(a) and 201(b) of the Communications Act. Section 222(a) requires telecommunications companies to maintain the confidentiality of customers’ “proprietary information.” Section 201(b) provides that “[a]ll charges, practices, classifications, and regulations for and in connection with [interstate and foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.” The companies’ alleged false statements about their security practices in their privacy policies and their failure to notify customers about the breach also violated Section 201(b) of the Communications Act, according to the FCC.
In calculating the $10 million Section 222(a) fine, the FCC noted that each of the more than 300,000 customer records amounted to a single violation of the Communications Act (assuming that each customer only had one record). And while it calculated a $1.5 million fine for the 201(b) violations, the FCC acknowledged that it had never before used that section to regulate carrier’s data security or data breach notification practices and stopped short of proposing such a fine. However, the FCC declared, “[C]arriers are now on notice that in the future we fully intend to assess forfeitures for such [201(b)] violations.”