In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers. The companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud. This is the Commission’s first data security case and the largest privacy action in the Commission’s history.
The full text of the FCC’s decision can be found here. The specific charges were that the companies:
violat[ed] (1) Section 222(a) of the Act for failing to protect the confidentiality of PI that consumers provided to demonstrate eligibility for Lifeline telecommunications services; (2) Section 201(b) of the Act by failing to employ reasonable data security practices to protect consumers’ PI; (3) Section 201(b) of the Act by representing in their privacy policies that they protected customers’ personal information, when in fact they did not; and (4) Section 201(b) of the Act by failing to notify all customers whose personal information could have been breached by the Companies’ inadequate data security policies.
This action raises interesting questions, such as whether the FTC and FCC will get into a turf war, and whether FTC and FCC standards will be consistent. When we see the second FCC action, some of these questions will start to be answered.
I discussed this issue with Law360:
Challengers are likely to argue that Congress did not intend for personal information to be included in the definition of proprietary data when it added the provision to the statute in 1996. Foley Hoag LLP privacy and data security practice co-chair Colin Zick noted that the argument might be aided greatly by another statute enacted that year, the Health Insurance Portability and Accountability Act, which protects personal health information.
“Lawmakers knew how to call something personal information in HIPAA, but they used a different term in another statute passed in the same year,” Zick said. “To me, that means something different.”