The Federal Communications Commission recently proposed a fine against TerraCom Inc. and YouTel America Inc. for alleged failures to protect the personal information of over 300,000 of its customers. According to the FCC, the companies placed the information on servers that could be publicly viewed on the internet during a six-month time frame. The information included social security numbers and drivers’ licenses, among other details, and had been collected from customers who were interested in determining their eligibility for a program that provided phone service for low-income individuals. The privacy policies of both companies indicated that mechanisms were in place to safeguard information from unauthorized access. The FCC argued that letting the information be publicly viewable was both a violation of the Communications Act (which requires carriers to protect information), as well as deceptive and misleading representations around consumer privacy protections (constituting unjust and unreasonable practices). The FCC was also concerned that the companies had not notified people of the public accessibility of their information after discovering of the incident “depriving [the consumers] of any opportunity to take steps to protect their personal information from misuse by Internet thieves.” This is the first case that the FCC has brought over a data security matter, and it resulted in a $10 million fine.
TIP: Regulators are getting increasingly concerned about the protection that companies give to personally identifiable information. This case is a reminder that after a public breach, companies may face scrutiny over the sufficiency of their underlying protection measures.