The Federal Communications Commission (“FCC”) is the latest government agency to make a foray into data breach enforcement, proposing a $10 million fine against two telecommunications carriers for failing to protect the personal information of up to 305,000 consumers. In light of this development, companies regulated by the FCC must now be alert to potential liability to the FCC for failing to secure consumers’ “proprietary information” (“PI”). In this alert, we discuss the potential ramifications of this enforcement action and discuss best practices that a company may implement to avoid liability.
The FCC brought the enforcement action against two telecommunications companies, Terracom, Inc. and YourTel America, Inc. (collectively, the “Companies”), which provide telecommunications services to low-income residential customers as part of the federal Lifeline program. To enroll in this program, potential customers must demonstrate eligibility by submitting their personal information to the Companies. Each applicant was required to submit information such as the applicant’s name, address, date of birth, social security number, and driver’s license information.
The FCC alleges that between September 2012 and April 2013, applicants’ information was stored on data servers that were publicly accessible via the Internet. An investigative reporter made the discovery in early 2013. Over a period of approximately one month, the reporter was able to access at least 128,066 confidential records by using a simple Google search to locate a consumer’s data file and then shortening that file’s URL to gain access to the entire directory of consumer data.
The FCC Enforcement Action
The FCC is asserting authority to regulate cybersecurity in this instance under the Communications Act of 1934 (the “Act”). Under the Act, the FCC is tasked with regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, § 503(b)(1) of the Act grants the FCC authority to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.”
- Acting under this authority, the FCC charged the Companies with violations of Sections 222(a) and 201(b) of the Act. Under § 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . . . customers.” Correspondingly, § 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to customers’ PI. Specifically, the FCC alleged that the Companies violated:
- § 222(a) for failing to protect the confidentiality of PI that consumers provided for Lifeline enrollment; § 201(b) for failing to employ reasonable data security practices to protect consumers’ PI;
- § 201(b) for misrepresenting in their privacy policies that they employed reasonable security measures to protect customers’ PI; and
- § 201(b) for failing to notify all affected customers.
In finding that the Companies had a duty under § 222(a) to protect the confidentiality of their customers’ PI, the FCC adopted the view that “proprietary information” should be broadly interpreted “as clearly encompassing private information that customers have an interest in protecting from public exposure.” According to the FCC, “proprietary information” includes “such confidential information as privileged information, trade secrets, and personally identifiable information.” Consequently, the FCC concluded that the information gathered by the Companies fell within the statutory protections of § 222(a).
The FCC rejected the Companies’ argument that a duty to protect PI does not arise until an applicant actually becomes a subscriber. Noting that applicants “have a reasonable expectation that the carrier will protect the confidentiality of the PI they provide as part of that transaction,” the FCC interpreted “customer” to include applicants as well as subscribers of a telecommunications service, adopting the broader of the two potential interpretations.
Accordingly, the FCC concluded that the Companies breached § 222(a) because they failed to provide even the most basic security measures to protect consumers’ PI. The Companies’ alleged failure to implement these security measures exposed their customers to potentially substantial injury such as identity theft and other harms.
The FCC also found that the Companies violated § 201(b). More specifically, they:
- “[F]ailed to employ even the most basic and readily available technologies and security features for protecting consumers’ PI.” According to the FCC, this “created an unreasonable risk of unauthorized access.”
- Provided false, deceptive, and misleading representations of security measures to consumers.The FCC alleged that since September 2012, the Companies’ respective websites had represented that they employed reasonable security measures to protect customers’ PI, when in fact no such safeguards were in place. According to the FCC, these deceptive practices were unjust and unreasonable and thus violated § 201(b).
- Failed to notify all consumers affected by the data breach. Of the approximately 305,000 consumers affected, the Companies notified only 35,129. The FCC found that this limited notification violated § 201(b) because it “left consumers ignorant about the risks of identity theft problems that may occur due in whole or part to the breach.”
In exercising its forfeiture authority under § 503(b)(1), the FCC noted that the “protection of consumer PI is a fundamental obligation of all telecommunications carriers.” Accordingly, the FCC proposed a $10 million fine for the Companies’ conduct. The Companies have 30 days from the date of the notice to seek a reduction of the fine.
In light of the FCC’s foray into data breach enforcement, companies regulated by the agency should review their current data security practices. Among other things, companies should:
- Ensure they employ “just and reasonable” security measures to protect consumers’ PI;
- Ensure that their representations about security measures to protect consumer PI accurately reflect actual security measures in place;
- Ensure that their incident response plans provide for timely notice to all consumers affected by a data breach; and
- Ensure that any other practice related to the protection of consumer PI is “just and reasonable” under the Act.
A copy of the FCC’s Notice of Apparent Liability against Terracom, Inc. and YourTel America, Inc. can be found here.