The increased emphasis on cybersecurity has prompted multiple agencies to wade into the regulatory waters to protect consumer data. Most recently joining is the Federal Communications Commission (“FCC”). In September 2014, the FCC settled a privacy breach for $7.4 million with Verizon for unlawfully marketing to customers. On October 24, 2014, the FCC issued its first enforcement action for failure to protect customer data, a $10 million fine against TerraCom, Inc. and YourTel America, Inc. (FCC Action No. 14-173). Less than a week later, on October 28, 2014, the FCC announced its decision to join the Global Privacy Enforcement Network, an international team of privacy regulators whose members include the Federal Trade Commission.
The latest fine resulted from TerraCom and YourTel’s practice of storing of personal consumer information on an allegedly unprotected internet server. According to the FCC, both companies compromised sensitive data ranging from Social Security numbers to driver’s license numbers for over 300,000 consumers, in spite of having well-drafted privacy and technology policies in place. After learning of the compromised state of this personal data, the FCC alleged that neither TerraCom nor YourTel informed an adequate number of consumers of the breach.
Using the Communications Act of 1934, Section 222(a), which makes no mention of cybersecurity, the FCC claims that the statute should cover “private information that customers have an interest in protecting from public exposure.” In its decision, the FCC refers to this type of data as “proprietary information.” Under the FCC’s interpretation of Section 222(a), this proprietary information could include Social Security numbers, but it just as well may include more benign information, such as home addresses or phone numbers. Next, the FCC interpreted Section 201(b) of the Act to mean that TerraCom and YourTel engaged in “unjust and unreasonable practices.” Because the company only provided notice of the data breach to some consumers instead of notifying all 305,000 potentially compromised consumers, it thereby “willfully and repeatedly violated the law” under Section 201(b). This fine was the largest privacy action in FCC history, and it is a signal that the FCC intends to insert itself in the cybersecurity enforcement arena going forward.
Already there has been criticism against another agency coming into the field. The U.S. Chamber of Commerce has been vocal about duplicative, overlapping enforcement and improper expansion of regulatory authority. Meanwhile, companies should prepare themselves for additional challenges as agencies seek to regulate cybersecurity standards.