On October 24, 2014, in its first data security enforcement action outside of the CPNI context, the Federal Communications Commission (“FCC” or the “Commission”) issued a Notice of Apparent Liability for Forfeiture of $10,000,000 against two telecommunications providers TerraCom, Inc. and YourTel America, Inc. (the “Companies”) providing telecom services to low-income consumers pursuant to the Lifeline program overseen by the FCC.  The FCC based the enforcement action on two sections of the Communications Act of 1934 (the “Act”) — Section 201(b), which establishes a general requirement that practices in conjunction with communication service must be “just and reasonable”, making unlawful any practice that is “unjust or unreasonable” and Section 222(a), which establishes a duty to protect customer “proprietary information”.

The FCC’s enforcement action is the first based upon each of these provisions and we expect that the Commission will bring more enforcement with regard to carriers data going forward.

The Commission found that the Companies’ failure to employ basic and readily available technology and security to protect customers information was unjust and unreasonable.  The Companies stored customers’ personal information on servers that were publically accessible via the Internet.  Although the FCC indicated that encryption alone would not satisfy a carrier’s obligation under Section 222(a), the Commission found that given current technology, a lack of encryption is evidence of unjust and unreasonable data security practices.  Second, the FCC determined that placing a consumer’s name in a URL in plain text may under certain circumstances amount to a breach of the duty under Section 222(a) and when linked to other personal information, it definitively constitutes a violation.

With respect to Section 201(b), the Commission found that lack of data security and the potential harm to customers (identity theft) to be an apparent violation of Section 201(b).  Further, the FCC found that the Companies’ misrepresentation of their data security practices in their privacy policies, including misrepresenting that their security measures were being continuously updated, was a violation of Section 201(b).

Although the Companies’ lax data security and misrepresentations were egregious, the FCC NAL does forge new ground in terms of the categories of violations that may trigger enforcement actions and should be a warning to other telecommunications providers.