The Federal Communications Commission ("FCC") voted on October 24, 2014 to pursue fines of $10 million against two companies for alleged violations of laws protecting the privacy of telephone customers' personal information. This is the second major enforcement action the FCC has taken to protect consumer privacy in the last two months, but it is the first time ever that such a fine has been based on failures of data security rather than failures to obtain consent or similar misuse of customer data. This fine appears to extend the FCC definitively into the enforcement of cybersecurity, a realm in which it has not previously taken a major role.
According to an investigation by the FCC's Enforcement Bureau, two wireless carriers—TerraCom and YourTel—allegedly stored Social Security numbers, names, addresses, driver's licenses, and other sensitive information belonging to their customers on unprotected internet servers that anyone in the world could access. This alleged breach made news last year when journalists reported that they were able to access customer information for TerraCom and YourTel that had been posted to the website of a third-party call center operator that was under contract to the companies. The FCC explained that these companies allegedly breached the personal data of up to 300,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.
In its first-of-a-kind data security enforcement order, the FCC identifies an unusually wide range of statutory justifications for the fine. The FCC cites the carriers' statutory duty to protect customer data but also alleges "unjust and unreasonable practice" for inadequately protecting the information and failing to notify customers, as well as "deceptive and misleading" representations contained in the two companies' privacy policies.
The FCC's two Republican Commissioners dissented in the decision, arguing that the FCC has never adopted rules specifically prohibiting the types of data security failures alleged to have been committed by the two carriers, and the FCC may lack statutory authority to do so. FCC Chairman Thomas Wheeler responded to the dissenting Commissioners, stating, "we do not need detailed ex ante rules and regulations to know that this is simply unacceptable."
The FCC's action follows a $7.4 million settlement in September 2014 between the FCC and Verizon to close an FCC investigation, without a finding of fault, regarding allegations that Verizon misused the personal information of two million of its customers to market other services without their consent or notification of their privacy rights. Previous FCC actions focusing on cybersecurity have taken the form of nonbinding recommendations, such as a July 25, 2014 request for comment on the progress of implementing cybersecurity best practices. Although the October 24 fine may be directly relevant only to companies that are involved in the telecommunications industry and therefore under the FCC's jurisdiction, this is one more indication that all U.S. federal agencies are monitoring cybersecurity issues more closely than ever.