In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers. The companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud. This is the Commission’s first data security case and the largest privacy action in the Commission’s history.
The full text of the FCC’s decision can be found here. The specific charges were that the companies:
violat[ed] (1) Section 222(a) of the Act for failing to protect the confidentiality of PI that consumers provided to demonstrate eligibility for Lifeline telecommunications services; (2) Section 201(b) of the Act by failing to employ reasonable data security practices to protect consumers’ PI; (3) Section 201(b) of the Act by representing in their privacy policies that they protected customers’ personal information, when in fact they did not; and (4) Section 201(b) of the Act by failing to notify all customers whose personal information could have been breached by the Companies’ inadequate data security policies.
This action raises interesting questions, such as whether the FTC and FCC will get into a turf war, and whether FTC and FCC standards will be consistent. When we see the second FCC action, some of these questions will start to be answered.