On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC, the Companies did not properly secure the personal information collected from applicants of the Lifeline program, which is designed to help low-income individuals and families receive communications services. The names, addresses, Social Security numbers, and other personal information of the applicants were stored on a server maintained by a third-party service provider that was publicly accessible from the Internet. A reporter discovered the consumer information using a Google search and notified the Companies, who in turn notified the FCC. The FCC also alleged that both Companies failed to notify all of the potentially affected consumers of the breach.
The FCC conducted an inquiry and charged the two Companies with four violations under the Communications Act of 1934, Sections 201(b) and 222(a):
- A violation under Section 222(a) for failing to protect the confidentiality of personal information that consumers provided to demonstrate their eligibility for the Lifeline program;
- A violation under Section 201(b) for failing to employ reasonable data security practices to protect consumers’ personal information;
- A violation under Section 201(b) by representing in the companies’ privacy policies that they protected consumers’ personal information, when in fact they did not; and
- A violation under Section 201(b) by failing to notify all consumers whose personal information could have been breached by the companies’ inadequate data security.
In finding these violations, the FCC interpreted the Companies’ duty, under Section 222(a), “to protect the confidentiality of proprietary information of, and relating to” consumers broadly to include protecting the private information that consumers have an interest in protecting from public exposure, which the FCC also indicated was broader than just customer proprietary network information (“CPNI”). While the FCC did not formally adopt the National Institute of Standards and Technology’s (“NIST”) definition of personally identifiable information, the FCC indicated that the definition was informative. The FCC indicated that the definition of personally identifiable information used by NIST is: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Using the NIST definition as a guide, the FCC identified the following consumer data elements as “proprietary information” under Section 222(a) that must be protected for the Lifeline program:
- First and last name;
- Home or other physical address;
- Email address or other online contact information, such as an instant messaging screen name that reveals an individual’s email address;
- Telephone number;
- Social Security Number, tax identification number, passport number, driver’s license number, or any other government-issued identification number that is unique to an individual;
- Account numbers, credit card numbers, and any information combined that would allow access to the consumer’s accounts;
- Uniform Resource Locator (“URL”) or Internet Protocol (“IP”) address or host name that identifies an individual; or
- Any combination of the above.
Additionally, the FCC turned to Section 201(b)’s requirement that “[a]ll charges, practices, classifications, and regulations” of a communications company be “just and reasonable” to find violations when the Companies failed to use reasonable security to protect consumer personal information when that information was accessible to anyone with Internet access who entered the right search terms in a search engine. The consumer information was not password protected or encrypted. The FCC noted that it was not stating that encryption alone would make a telecommunications carrier compliant, but that given the state of technology today, a lack of encryption clearly evidences the “unjust and unreasonable nature” of a carrier’s data security practices. The FCC also pointed to the privacy policies of the Companies, which contained statements about safeguarding customer data, and found that the statements were false, deceptive, and misleading, considering their lack of reasonable security.
Finally, the FCC also found that the Companies violated Section 201(b) by not notifying all potentially affected subscribers. The Companies informed the FCC that they notified all the potentially affected individuals, but had only provided notice to approximately 35,129 individuals as required by state data breach notification laws, and not the over 300,000 individuals whose information was accessible on the Internet. The FCC stated that it expects telecommunication carriers to “act in an abundance of caution – even to the extent of being overly inclusive” when notifying individuals of potential breaches. The FCC also indicated that compliance with notification obligations would be reviewed on a case-by-case basis.