In the agency’s first data security enforcement effort, the Federal Communications Commission (FCC) announced that it took action against TerraCom, Inc., and YourTel America, Inc., for failing to protect consumer data.
The two telecommunications carriers will pay a total of $10 million for posting the personal information of customers on unprotected servers that were accessible by the public in violation of Section 222 of the Communications Act.
According to the FCC, the companies gathered personal information (such as Social Security numbers, names, addresses, and driver’s license numbers) to determine customer eligibility for the Lifeline program of discounted phone services.
Although the privacy policies for both companies stated they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use,” the FCC alleged the companies stored the collected information “in a format accessible via the Internet and readable by anyone” for approximately eight months.
Even after the companies recognized their “lax data security practices,” the FCC said the 305,000 customers affected were not all notified, and were therefore deprived of the opportunity to protect themselves.
“The Commission alleges that the carriers’ failure to reasonably secure their customers’ personal information violates the companies’ statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act, given that their data security practices lacked even the most basic and readily available technologies and security features and thus creates an unreasonable risk of unauthorized access,” according to the FCC.
The agency imposed a $10 million fine on TerraCom and YourTel for their “deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify their customers of the security breach.”
To read the FCC’s Notice of Apparent Liability, click here.
Why it matters: With the two enforcement actions – and the largest fine in Commission history – the FCC has jumped onto the data security bandwagon and looks to be staying put. “Consumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,” Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said in a statement. “When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.” Two Commissioners dissented from the decision to fine the companies, however, writing that the agency engaged in “sentence first, verdict afterward” decision making, and questioning whether the agency has the authority to regulate data security under Section 222 of the FCC Act.