On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information. This marks the FCC’s first data security case and the largest privacy action in the FCC’s history.
According to the FCC, TerraCom, Inc. and YourTel America, Inc. stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was collected in connection with eligibility verification for the Lifeline program, the government’s telephone subsidy program for low-income Americans. The companies allegedly breached the personal information of over 300,000 consumers through their lax security practices.
The privacy policies for the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.” Nevertheless, the FCC’s asserts that from September 2012 through April 2013, the sensitive information they collected was apparently accessible via the Internet and readable by anyone. Importantly, the FCC took issue with the fact that even after learning of the security breach, the companies allegedly failed to notify all potentially affected consumers, thus depriving the consumers of any opportunity to protect their personal information from misuse.
The FCC alleges that the carrier’s failure to reasonably secure their customer’s personal information violates the companies’ statutory duty under the Communications Act. Specifically, the carriers had an alleged duty to protect the information, and the companies failure to do so constitutes an unjust and unreasonable practice in violation of the Act, as their data security practices lacked “even the most basic and readily available technologies and security features…” Similarly, the FCC alleges that the companies’ deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify, constitute unjust and unreasonable practices as well.
Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said, “Consumers trust that when phone companies ask for their…personal information, these companies will not put that information on the Internet or otherwise expose it to the world….When carriers break that trust, the [FCC] will take action to ensure that they are held accountable…”