In a split vote last Friday, the Federal Communications Commission (FCC or Commission) invoked a seldom-used provision of the Communications Act and signaled its intent to impose a $10 million fine on two affiliated telecommunications carriers, TerraCom, Inc. and YourTel America, Inc., for allegedly failing to protect consumers’ personal information. By flexing previously unused statutory muscles, last week’s decision is a strong signal of the Commission’s desire to expand its role as a privacy and data security regulator. In particular, the Commission appears to be attempting to create an entirely new data breach notification requirement under federal communications law. Telecommunications carriers should take note.
According to the FCC, TerraCom and YourTel are telecommunication carriers that offer wireless, voice and data services in various states and US territories. Beginning in 2012, the companies (which have common shareholders and key managers) began to offer reduced-cost services to qualifying low-income individuals under the FCC’s Lifeline program. Under the FCC’s Lifeline regulations, the companies were required to verify applicants’ eligibility for the Lifeline service – a process that entailed collecting various types of personal information, including address, date of birth, Social Security Number, driver’s license or state ID card information, and financial information.
In last Friday’s Notice of Apparent Liability for Forfeiture (NAL), the FCC recounted that, in 2013, a reporter for the Scripps Howard News Service (Scripps) discovered – by using a popular search engine – that some of the information that the companies had collected from Lifeline applicants was stored on an unprotected, public-facing website. During a one-month period, the reporter was able to access sensitive personal information and documents submitted by more than 128,000 Lifeline applicants.
The FCC’s Investigation and Proposed Fine
The companies notified the FCC of the Scripps reporter’s actions, and, shortly thereafter, the FCC’s Enforcement Bureau launched an investigation, which culminated with the adoption of the NAL. After determining that that the companies may have exposed the personal information of up to 305,000 consumers, the FCC found the companies apparently liable for violating their obligation under the Communications Act to “protect the confidentiality of proprietary information of, and relating to . . . customers” in four ways:
- By allegedly failing to protect the confidentiality of personal information collected from Lifeline applicants;
- By allegedly failing to employ reasonable data security practices;
- By allegedly engaging in deceptive and misleading practices when the companies stated in their privacy policies that used appropriate technologies to protect personal information; and
- By allegedly failing to notify consumers of the breach of the companies’ security.
Although the FCC identified four apparent violations of the Communications Act, in a footnote, the agency explained that the proposed $10 million fine does not cover the companies’ alleged failure to provide breach notifications, as this was the first time in which the FCC has determined that a carrier’s failure to notify consumers of a security breach is a violation of the Communications Act.
Possible Next Steps
Based on the size of the fine and the FCC’s acknowledgment that this is the agency’s “first data security case,” it seems almost inevitable that the companies will challenge the NAL. If they choose to do so, the companies may look to the dissenting statements of Commissioners Pai and O’Rielly, both of whom point to possible flaws in the NAL.
Most notably, both dissenting commissioners fault the majority’s choice to use an enforcement action to establish a new regulatory policy. Although Congress has clearly authorized the FCC to regulate telecommunications privacy issues to some degree, according to Commissioners Pai and O’Rielly, the NAL represents such a stark departure from the agency’s prior reading of the Communications Act that the Commission should have first solicited public comment on its new, expansive interpretation of its authority in this area.
Commissioner O’Rielly goes further and questions the fundamental premise that the Communications Act authorizes the FCC to regulate data security issues in this manner. In his dissenting statement, O’Reilly states that he is “noticing a disturbing trend at the Commission where, in the absence of clear statutory authority, the Commission suddenly imbues an innocuous provision of the [Communications] Act with tremendous significance in order to meet its policy outcome.” He cites the FCC’s recent unsuccessful attempts to adopt network neutrality rules as another example of the trend.
Because of the companies’ ability to challenge the NAL, the ultimate outcome of the TerraComproceeding is unclear at this point. At the very least, however, the TerraCom NAL serves as a notice to the telecommunications sector that the FCC is becoming and active privacy and data security regulator – and it isn’t afraid to develop new and creative ways to test the limits of its authority.