UPDATE: The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information.
As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, Inc. Originally, the FCC had proposed a $10 million fine, which at the time made it the largest privacy action in the FCC’s history. Ultimately, the FCC and the telecom companies reached agreement on a $3.5 million settlement.
According to the consent decree, the companies allegedly breached the personal information of over 300,000 consumers through lax security practices, despite the privacy policies for the two companies stating that they had in place technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.
In addition to the $3.5 million settlement, the companies are also required to provide notification to all customers whose information was subject to the breach, provide credit monitoring to each individual, and improve privacy and data security by taking a number of additional steps. Those steps include, by way of example:
- conducting a risk assessment;
- implementing a written information security program;
- implementing a data breach response plan; and
- providing training to employees regarding privacy and security.
While the settlement is significantly lower than the initial proposed fine, this matter demonstrates the significant liability associated with the failure to adequately safeguard information and/or to implement safeguards consistent with a company’s statements regarding same.