Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring. The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission. In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information.
The companies, TerraCom, Inc. and YourTel America, Inc., provide telecommunications services to qualifying low-income consumers for a reduced charge. The FCC found that the companies collected the names, addresses, Social Security numbers, driver’s licenses, and other personal information of over 300,000 consumers. The data was stored on Internet servers without password protection or encryption, allowing public access to the data through Internet search engines. This, the FCC found, exposed consumers to “an unacceptable risk of identity theft.”
The FCC charged the companies with violation of Section 222(a) of the Communications Act, which it interpreted to impose a duty on telecommunications carriers to protect customers’ “private information that customers have an interest in protecting from public exposure,” whether for economic or personal reasons. Additionally, the companies were charged with violation of Section 201(b), which requires carriers to treat such information in a “just and reasonable” manner.
The companies were determined to have violated Sections 201(b) and 222(a) by failing to employ “even the most basic and readily available technologies and securities features.” The companies further violated Section 201(b), the FCC found, by misrepresenting in their privacy policies and statements on their websites that they employ reasonable and updated security measures, and by failing to notify all of the affected customers of the data breach.
Commissioners Ajit Pai and Michael O’Rielly dissented, arguing that, among other things, the FCC had not before interpreted the Communications Act to impose an enforceable duty to employ data security measures and notify customers in the event of a breach. Though now that the FCC has so-interpreted the Act, we can expect the FCC to keep its eye on data security.
The FCC made clear that protection of consumer information is “a fundamental obligation of all telecommunications carriers.” Friday’s decision also makes clear that the FCC will enforce notification duties in the event of a breach, and will look closely at carriers’ privacy policies and online statements regarding data security.