In an unprecedented data security enforcement action, the Federal Communications Commission (FCC) has joined the ranks of federal and state regulators imposing fines for data security breaches, levying a $10 million fine against two telecommunications carriers for storing personally identifiable customer data online without adequate security safeguards. The FCC’s Notice of Apparent Liability for Forfeiture (NAL) issued last Friday signals the agency’s intent to possibly create new data breach notification obligations under federal communications law that could extend to companies that use telecommunications networks and cloud storage systems to transmit and store consumers’ personal information.
Background of the Breach
TerraCom Inc. and its affiliate YourTel America, Inc. collected information from low-income individuals to determine eligibility for Lifeline, a government program providing discounted telephone service. To prove their eligibility, potential customers were asked for personal information, including their names, addresses, Social Security numbers, dates of birth, driver’s license numbers and other sensitive personal information. However, instead of securely storing this data or destroying it after determining customers’ eligibility, the carriers stored the information in two publicly accessible Internet servers from September 2012 through April 2013 without password protection or encryption.
The breach was discovered in early 2013 by a Scripps news service investigative reporter, who was able to locate and access, via a simple Google search, all Lifeline data collected and stored by a third-party vendor used by YourTel and TerraCom. The reporter alerted the companies, which responded by sending a cease-and-desist letter to Scripps and accusing the reporter of hacking into the servers that contained the sensitive customer data.
The FCC’s NAL and Dissenting Statements
In what the agency described as its “first data security case and the largest privacy action in the Commission’s history,” the FCC found that the carriers had “breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.” The FCC found that the carriers failed to protect the confidentiality of the customers’ sensitive data and failed to employ reasonable security measures to safeguard the information. As a result, the FCC ruled that the companies violated their statutory duties to protect customer information and engaged in unjust and unreasonable practices in violation of the Communications Act of 1934 (the Communications Act) because their data security practices lacked “even the most basic and readily available technologies and security features and thus create[d] an unreasonable risk of unauthorized access.” The FCC further found that the carriers misrepresented in their privacy policies and in statements on their website that they had employed “technology and security features to safeguard the privacy of . . . customer specific information from unauthorized access or improper use.” Finally, the FCC ruled that the carriers engaged in unjust and unreasonable practices by failing to notify all potentially affected consumers of the breach.
The NAL was issued on a 3-2 split vote, with two Commissioners issuing dissenting statements. Those dissents took issue with the majority’s issuance of a fine in the absence of “prior fair warning.” Commissioner Pai noted in his dissent that “there is no pre-existing legal obligation to protect personally identifiable information (also known as PII) or to notify customers of a data breach to enforce. The Commission has never interpreted the Communications Act to impose an enforceable duty on carriers to ‘employ reasonable data security practices to protect’ PII.” Given the size of the fine and the strong dissents, it is likely that the carriers will challenge the NAL.
Impact of the FCC’s Actions and Unresolved Questions
The FCC’s action is significant because it is the agency’s first foray into data security, an area that has been primarily regulated federally by the Federal Trade Commission, the Department of Health and Human Services and the Consumer Financial Protection Bureau. This also appears to be the first time that the agency has applied Section 222(a) of the Communications Act, requiring telecommunications carriers to protect the confidentiality of customers’ information, to a broad range of what the FCC is calling “private information that customers have an interest in protecting from public exposure.” The FCC’s action is also notable because it marks the first time the FCC has determined that a failure to employ reasonable data security practices to protect customer data constitutes an “unjust and unreasonable” practice in violation of Section 201(b) of the Communications Act. In doing so, the FCC appears be following the FTC’s and other regulators’ lead in requiring companies to take industry-appropriate steps to protect certain types of sensitive customer data. This also marks the first time that the FCC has issued a proposed fine for a carrier’s failure to notify affected individuals of a breach of their personal information.
The FCC’s NAL action against TerraCom and YourTel raises several unresolved issues, such as the following:
- Whether the FCC—as part of the its authority to regulate “unjust and unreasonable” practices “for and in connection with” a communications service under Section 201(b) of the Communications Act—will expand its cybersecurity enforcement beyond companies such as wireless and wireline communications carriers, which are already squarely within the FCC’s statutory jurisdiction, to data breaches involving other companies that use telecommunications networks and cloud storage systems to transmit and store consumers’ personal information.
- The degree to which and on what grounds the FCC’s jurisdiction to impose fines for data security breaches will be challenged.
- The degree to which insurance policies will cover these sorts of fines and penalties by the FCC, which until now has not been a regulatory body of much concern with respect to data security and breaches.
- The degree to which FCC enforcement in relation to data breaches will run a risk of conflicting and confusing enforcement actions by other federal and state agencies.
- The degree to which FCC enforcement actions as to data security lapses and breaches will become a roadmap for private class action litigation.