For the first time, on October 24, the Federal Communications Commission ("FCC") took action in the area of data security regulation, which until now primarily has been within the domain of the Federal Trade Commission. In an unprecedented move, the FCC announced $10 million in fines against two telecommunications companies, TerraCom, Inc. and YourTel America, Inc., pursuant to the Communications Act, for allegedly failing to safeguard sensitive personal information of their customers.
According to the FCC investigation, the phone carriers apparently stored customer Social Security numbers, names, addresses, driver's licenses, and other sensitive information in a format accessible via the Internet, readable by anyone. The data, collected to prove eligibility for the government's subsidy program for low-income individuals, should have been destroyed after the eligibility process was complete, or stored in a secure manner. Instead, the FCC contends the companies exposed the personal information of up to 300,000 low-income consumers to public view. The FCC claims that the companies compounded the problem by allegedly failing to notify all potentially-affected consumers after the data security breach was discovered.
While it is unclear the extent to which the FCC intends to focus on data privacy, its recent action signals the increasing importance of data security and sends a strong message to custodians of personal information about their obligation to protect such information. In particular, entities regulated by the Communications Act have a duty to reasonably secure the personal information of customers, and the FCC may hold those entities accountable for failure to do so.
Businesses that collect, store, or maintain any personal identifying information should have compliance programs in place to ensure adequate protection of that data, and should follow appropriate response measures when a data breach occurs