The Enforcement Bureau entered into a Consent Decree resolving (1) a prior $10 million Notice of Apparent Liability (“NAL”) alleging that two related companies violated Sections 201(b) and 222(a) of the Communications Act by failing to protect the confidentiality of “proprietary information” they received from customers applying to demonstrate eligibility for their low-income Lifeline phone services, and (2) a separate investigation regarding compliance with FCC instructions to remove ineligible Lifeline subscribers. The proprietary information did not include Customer Proprietary Network Information (“CPNI”), which is covered explicitly by Section 222(c) of the Act and the FCC’s CPNI rules.
- The Consent Decree included a $3.5 million civil penalty resolving both the NAL and the separate Lifeline investigation and imposed significant compliance measures in order for the companies to “improve their privacy and data security practices,” including by (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting a privacy risk assessment; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a data breach response plan; and (vi) providing privacy and security awareness training to employees. Notably, for purpose of the consent decree, the companies admitted that their actions violated Sections 201(b) and 222(a). The Consent Decree included separate admissions and compliance provisions regarding the Lifeline issues. The core data security compliance requirements remain in effect for eight years rather than the typical three-year period in most Consent Decrees and the seven-year period for data security compliance requirements in another Consent Decree earlier this year.
- Commissioner O’Rielly issued a statement indicating that the Consent Decree “highlights the problem of making policy through enforcement actions” and expressing concern that “attempts will be made to cite the Consent Decree as precedent for an entire industry even though it was a product of company-specific negotiations.” He also expressed concern that entities that had no opportunity to comment on the Commission’s “claims or legal theories” will now “be forced to embrace the product of a closed and slanted process that will be portrayed as consensus practice and rules.”