At Kelley Drye, we handle a lot of FCC investigations, so we know first hand how the Commission develops proposed forfeitures for telecom violations. In previous posts, I've commented that the FCC should reconsider the proportionality of the base forfeiture amounts it uses in telecom enforcement cases. A case released today underscores the inherent weaknesses of the FCC's current ad hoc approach to setting these base forfeiture amounts.
In the case described below, the FCC proposed a $100,000 fine for a telecom carrier's non-compliance with its privacy rules -- namely, the rule requiring carrier to execute annual compliance certifications. Three years later (and after a shift in administrations), the FCC settled the proposed fine for a mere $250. There is no mention of mitigating circumstances, of an inability to pay or of any of the statutory factors the FCC is obligated to consider. The outcome leaves you wondering: Just what is the base fine for failing to comply with the FCC's privacy rules?
At issue here is the FCC's enforcement of its customer privacy rules, also known as the CPNI rules. Over the past three years, this has been a significant area of FCC enforcement. The FCC and its Enforcement Bureau have proposed dozens of fines and issued an Omnibus CPNI NAL to over 600 carriers. The Commission does not have an adopted forfeiture guideline for CPNI violations, so each time it has exercised its discretion under the statute to determine the appropriate forfeiture amount. However, in doing so, the Commission has proposed widely varying base fines for the same action -- failing to file the CPNI certification. First, the proposed base was $100,000, then $20,000 and, most recently, $25,000. Minor deficiencies in the content of the certifications first were treated the same as a failure to file the certification, and were given proposed fines of $100,000. Later, however, the FCC proposed fines of $4,000, $2,000 or $1,000 for deficient certifications, well below the base forfeiture for failing to file a certification.
In today's case, the FCC had proposed a fine of $100,000 for failing to file the certification. Here's what the FCC said in 2007 about the gravity of the alleged offense:
In determining the proper forfeiture amount in this case, however, we are guided by the principle that there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information. Consumers are increasingly concerned about the security of their sensitive, personal data that they must entrust to their various service providers, whether they are financial institutions or telephone companies. Given consumers’ increasing concern about the security of this data, and evidence that the data appears to be widely available to third parties, we must take aggressive, substantial steps to ensure that carriers implement necessary and adequate measures to protect their subscribers’ CPNI, as required by the Commission’s existing CPNI rules.
Fast forward to today, when the FCC released a settlement agreement with the carrier that received the $100,000 fine. The Consent Decree contains all of the usual elements of a settlement -- the carrier agreed to a compliance plan, will implement new training, etc. In addition, it contains a "voluntary contribution" settling the case for a mere $250. This is a mind-boggling reduction in the forfeiture of well over 99%.
This being a voluntary settlement, there is no explanation for the reduction in the forfeiture amount. Nor is there any explanation to reconcile this settlement with other settlements, which have ranged from a few hundred to a few thousand dollars. Practitioners like me are left scratching our heads to find any consistency in the FCC's enforcement. That lack of consistency could be a significant weakness, if a party decides to challenge an FCC forfeiture in court. In the court of appeals, they often call unpreditable results "arbitrary and capricious" decisionmaking.