Last Friday, the FCC released a Notice of Apparent Liability for Forfeiture (“Notice”) ordering TerraCom, Inc. and YourTel America, Inc. to pay a $10 million forfeiture for the companies’ failure to reasonably secure electronic customer information. In doing so, the FCC relied on Title II (i.e., the “common carrier” provisions) of the Communications Act of 1934, as amended, raising questions about whether the decades old statute can be read to cover data protection issues and likewise whether regulated companies had fair notice of their obligations under such an expanded reading. In doing so, the FCC also challenged the Federal Trade Commission, which had previously believed the FTC should have exclusive jurisdiction over privacy failures of this kind.
The Background: TerraCom and YourTel are both telecommunication service providers that offer subsidized phone services through the federal Lifeline program, which is a reduced charge phone service that telecom carriers provide to qualifying low-income consumers. Low income consumers who want Lifeline services must submit income and other information, including name, address, birthdate, social security number, and tax returns, to the service provider to prove they qualify. TerraCom and YourTel collected this information from consumers and contracted with a third party call center in India, Vcare Corporation, to host and store the information.
The Breach: In early 2013, an investigative reporter determined that TerraCom and YourTel customer data was being stored on Vcare servers in readable form and was publicly accessible via unprotected Internet sites. In April 2013, the reporter alerted TerraCom and YourTel to the accessibility of the data on the Internet. TerraCom and YourTel responded to the reporter with a cease and desist letter calling the reporter a “hacker” who had illegally accessed the data. TerraCom and YourTel also reported the alleged breach to the FCC Enforcement Bureau and advised the FCC that it notified the affected customers, though the FCC contends only about 10% of the 300,000 customers were notified.
The Notice: The Notice orders a forfeiture of $10 million against TerraCom and YourTel on four grounds under Title II of the Communications Act of 1934, as amended, namely:
- failing to protect confidential consumer information under Section 222(a) of the Communications Act by breaching their statutory duty to protect the information;
- failing to employ reasonable data security practices to protect consumer information in apparent violation of Section 201(b);
- engaging in deceptive practices by misrepresenting their security measures to consumers in apparent violation of Section 201(b); and
- engaging in unreasonable practices by failing to notify all affected consumers in apparent violation of Section 201(b).
The Dissents: Two of the five member FCC Commission, Commissioners Pai and O’Rielly issued dissenting statements. While troubled by the lax care the companies took to protect and secure confidential customer information, Commissioner O’Rielly’s dissent argues that the FCC does not have authority to act and that there was no fair notice to the companies involved. Commissioner O’Rielly’s arguments can be summarized as follows:
- Section 222(a) protects only data that meets the definition of “Customer Proprietary Network Information (CPNI)” such as dates and times of calls and other information of the type found on phone bills, and does not extend to the data at issue;
- Section 201(b), which dates back to 1935 and covers “communications by wire and radio,” cannot be read to cover data protection; and
- The FCC has not given fair notice because “‘fair notice of the obligation being imposed on a regulatee’ means that ‘by reviewing the regulations and other public statements issued by the agency a regulated party acting in good faith would be able to identify, with ascertainable certainty, the standards with which the agency expects parties to conform before imposing civil liability,’” and that is not the case here.
Commissioner Pai’s dissent is focused solely on fair notice issues similar to those expressed by Commissioner O’Rielly and summarized above.
Next Step: TerraCom and YourTel have 30 days from the October 24, 2014 release of the Notice to pay the full amount of the proposed forfeiture or to each file a written statement seeking reduction or cancellation of the proposed forfeiture.
The Future: The FCC has asserted in the past that it may announce new interpretations or policies in the context of an adjudication and this is perhaps one step in that direction. Given the recent rash of cybersecurity breaches, this may also be an effort to increase awareness of cybersecurity risks and an effort to expand protection afforded under present legislation in light of the recent difficulties in advancing new cybersecurity legislation in Congress.