In what the Federal Communications Commission (FCC) referred to as its first data security case, the FCC recently issued a Notice of Apparent Liability (the Notice) that it intends to fine two telecommunication service providers $10 million for allegedly failing to protect the personal information of potential customers.1 This represents the FCC’s first enforcement action using its existing regulatory authority to impose minimal cybersecurity standards against companies within its regulatory domain. Given increasing pressure on companies and regulators to combat growing information security threats, federal agencies will likely continue to apply existing regulatory tools to confront the emerging threats.

In the October 24, 2014, Notice, the FCC alleged that two related companies, TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel), violated the Communications Act of 1934, as amended, when the companies allegedly “failed to properly protect the confidentiality of consumers’ [proprietary information (PI)] they collected from applicants for the companies’ wireless and wired Lifeline telephone services” and that they “failed to employ reasonable data security practices to protect consumers’ PI.”2 The allegations arise out of information collected by the companies from consumers applying for the Lifeline program, which is a federal program that allows telecommunications carriers to provide wired and wireless telephone service to low-income consumers at a reduced price. In 2013, an investigative reporter for the Scripps Howard News Service found a collection of  records and supporting documents containing personal and confidential information submitted by applicants for the companies’ Lifeline programs on a publically-accessible server. The FCC’s enforcement action follows the companies’ 2013 disclosure to the FCC about the release of this consumer information.

The FCC based its authority to fine the companies primarily on Section 222(a) of the Communications Act of 1934.   Section 222(a)  states  that “[e]very  telecommunications  carrier has  a duty  to protect the confidentiality of proprietary  information of, and relating to …customers[.]”   That section, captioned “Privacy of Customer Information,” has previously been applied in the context of protecting “Customer Proprietary Network Information” (CPNI), which is defined as:

  1. information that relates to the quantity, technical configuration, type, destination,  location, and amount of use of a telecommunications service subscribed to by any  customer of a telecommunications carrier, and that is made available to the carrier by the  customer solely by virtue of the carrier-customer relationship; and
  2. information contained in the bills pertaining to telephone exchange service or  telephone toll service received by a customer of a carrier;

except that such term does not include subscriber list information.3

In the Notice, the FCC found that Section 222(a) does not, on its face, limit the duty of carriers to protect customer information to only CPNI. To clarify the range of data that the FCC believes must be protected under Section 222(a), the FCC pointed to the National Institute of Standards and Technology (NIST) guidelines for protecting “personally identifiable information” (PII).4 NIST defines PII as “any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and . . . any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” While the FCC did not adopt NIST’s definition, it found that “proprietary information” under Section 222(a) broadly encompasses PII, and that TerraCom and YourTel failed to meet their duty under Section 222(a) to protect such information. The FCC further held that while some applicants may not have ultimately received service from the companies, all applicants were “customers” under this section and had an expectation that the companies would protect their information, especially given the companies’ own privacy policy promised to protect applicant and customer data alike.

The FCC’s enforcement action went further than simply faulting the companies for failing to protect customer proprietary information. It also found that the companies’ data security practices themselves were below a minimally acceptable standard. The FCC applied Section 201(b) of the Communications Act of 1934 to require telecommunications carriers to employ “just and reasonable” practices to protect consumer’s proprietary information. Section 201(b) requires that “[a]ll charges, practices, classifications, and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.”5 The FCC found that the companies “failed to employ even the most basic and readily available technologies and security features for protecting consumers’ PI,” noting that the information was publically accessibly on the Internet and was not encrypted in anyway. The FCC alleged that the companies’ data security practices “created an unreasonable risk of unauthorized access,” relying on evidence that unknown parties from various countries had accessed the personal information of applicants. The FCC also found that the companies’ practices were “deceptive and misleading,” in violation of Section 201(b), because the companies’ privacy policies stated that they “employed appropriate technologies to protect consumers’ PI,” and also that the companies acted unjustly and unreasonably by not informing consumers that their PI was compromised.

While the FCC appears to have found that the companies’ data security practices were below some minimally acceptable information security standard, it did not articulate any such standard. Instead, the FCC indicated that a failure to employ at least “the most basic and readily available technology and security features” for protecting customer information is per se unlawful under the Act.

The FCC action suggests it could take a more vigorous enforcement of cybersecurity standards in future cases, but what standard will apply in those cases remains as open question. First, the concept of what constitutes “basic” or “readily available” security technology remains broad and amorphous. Second, as technology evolves, it is unclear how or on what basis this standard will be measured or adjusted. It is clear, however, that the FCC expects published privacy policies to be accurate and reflect a company’s actual practices.

More generally, this enforcement likely represents a trend among the various federal agencies to employ existing regulatory frameworks to carve out authority to impose minimal cybersecurity standards. As each agency addresses various information security threats particular to their domain of regulation, such an approach may lead to a patchwork of conflicting standards. This patchwork of standards will likely persist until either congressional or executive action unifies the standards and provides clear guidance to companies on their obligations to safeguard information.

In short, while the minimum cybersecurity standards that a service provider must meet to comply with its obligations under the Communications Act remain ambiguous, the FCC has asserted that it believes it has the mandate and authority to impose some minimum standard on the service providers it regulates. Thus, the FCC’s enforcement power must be included among the various factors companies should consider in developing a cybersecurity strategy.