On October 24, 2014, the Federal Communications Commission (FCC) proposed a $10 million forfeiture penalty against TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) (collectively, the Corporations) for alleged data security violations. Although the FCC is currently unaware of any identity theft complaints, up to 305,000 consumers were exposed to the risks of identity theft.

The Corporations are common carriers providing telecommunications services as part of the Universal Service Fund's Lifeline program, which provides telecommunications services to qualified low-income consumers for a reduced charge. Low-income consumers submitted information and documentation to the Corporations, including their names, addresses, Social Security numbers, driver’s licenses and other proprietary information (PI), so the Corporations could determine their eligibility for the Lifeline program. The Corporations purportedly stored the information on unprotected public servers that lacked password protection or encryption, which anyone could access through the Internet. The FCC found that the failure to implement reasonable security measures to protect the PI exposed consumers to unacceptable risks, including identity theft.

The FCC proposed a forfeiture penalty against the Corporations for willfully and repeatedly violating the law when they allegedly:

  • Failed to protect the confidentiality of the PI they collected from applicants for the Corporations’ Lifeline telephone services
  • Failed to employ reasonable data security practices to safeguard the consumers’ PI
  • Engaged in deceptive and misleading practices by misrepresenting to consumers that appropriate technology privacy policies were employed
  • Failed to adequately inform consumers that their PI had been compromised by third parties.

In a 3–2 vote, the FCC found that the Corporations violated their duty under the Communications Act to protect consumer information and proposed a forfeiture of $8.5 million for the Corporations’ failure to protect the interests of consumers and to deter future violations, as well as $1.5 million for maintaining false and misleading privacy policies on the Corporations’ website.

Takeaways

With the proposed imposition of a $10 million forfeiture penalty, the FCC becomes the latest governmental agency actively levying penalties against entities that fail to adequately secure consumer data and fail to adhere to their own privacy policies. Although the Corporations have the right to contest the Order imposing the forfeiture penalty, it is clear that the FCC is interested in becoming more active in the protection of consumer privacy and that it is willing to impose significant penalties against alleged violators.

The FCC’s decision is another warning to businesses to invest in and implement a system that protects their consumers’ PI and that the failure to do so can be costly. In addition, we are reminded by the FCC that businesses will be held accountable for their representations. It is not enough to say you are going to protect consumer PI; you must actually take steps to protect consumer PI. The failure to safeguard consumer PI and adhere to representations may result in significant penalties that can be averted with proper risk management, including planning, implementing and auditing a privacy policy.