US Federal Communications Commission announces largest enforcement action for poor data security practices

November 4, 2014 |

The Federal Communications Commission (“FCC”) announced a $10 million fine on TerraCom and its affiliate YourTel America for poor data security practices. This comes in the same week as the FCC announced that it was joining the Global Privacy Enforcement Network, the second US regulatory agency to join the Network, after the Federal Trade Commission (the “FTC”).

The nub of the complaint is described as:

…TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers. The companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud. 

and

In their privacy policies, the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.” Yet, from September 2012 through April 2013, the sensitive documents they collected from consumers were apparently stored in a format accessible via the Internet and readable by anyone. Ultimately, the personal information of up to 305,000 low-income consumers was apparently exposed to public view. Yet even after the companies learned of this security breach, they allegedly failed to notify all potentially affected consumers, depriving them of any opportunity to take steps to protect their personal information from misuse by Internet thieves.

TerraComm and YourTel America’s approach to data security was, at best, cavalier.  But failing to notify customers of a data breach was incredibly foolish in terms of responsible management of data and customer relations.

The FCC’s action comes on the back of action it took last month against Verizon, fining it $7.4million for unlawfully marketing to its customers without consent or notification of their privacy rights. The allegation against Verizon was summarised as:

..Verizon failed to notify approximately two million new customers, on their first invoices or in welcome letters, of their privacy rights, including how to opt out from having their personal information used in marketing campaigns, before the company accessed their personal information to market services to them.

and

For many of its customers, Verizon has used an opt-out process, sending opt-out notices to customers either as a message in their first bill or in a welcome letter. … beginning in 2006 and continuing for several years thereafter, Verizon failed to generate the required opt-out notices to approximately two million customers, depriving them of their right to deny Verizon permission to access or use their personal information for certain marketing purposes. Moreover….. Verizon personnel failed to discover these problems until September 2012, and the company failed to notify the FCC of these problems until January 18, 2013, 126 days later.

The FCC’s enforcement actions has drawn comment from the privacy association in Does the FCC Have FTC Envy? which provides:

It’s been a busy week for the U.S. Federal Communications Commission (FCC).

On Monday, the FCC announced its largest enforcement action to date by hitting TerraCom and its affiliate YourTel America with a $10 million fine for poor data security practices. That’s not chump change. Plus, the previous “largest enforcement action” for the agency only stood for seven months. In May, the FCC fined Sprint $7.5 million for violating the Telephone Consumer Protection Act. And just last month, the FCC fined Verizon $7.4 million for unlawfully marketing to its customers without consent or proper notification of their privacy rights.

But that’s not all.

On Tuesday, the FCC announced it has joined the Global Privacy Enforcement Network (GPEN), making it the second U.S. regulatory agency to join GPEN. That other agency? You guessed it, the Federal Trade Commission (FTC).

GPEN includes data protection authorities from across the world, and to date, they’ve conducted two “global sweeps.” The first analyzed the transparency of businesses, and earlier this year, the sweep analyzed mobile apps. Among the four tasks adopted by GPEN is an initiative to “support joint enforcement initiatives and awareness campaigns.”

And who is quoted in each of these FCC press releases?

That would be FCC Enforcement Bureau Chief Travis LeBlanc, and he’s no stranger to privacy enforcement. In fact, in his previous gig, he served as top deputy and senior advisor to current California Attorney General Kamala Harris, who is also known for being a privacy-protecting powerhouse.

Since being appointed to his FCC position, LeBlanc has helped lead this regulatory charge, saying in the GPEN press release that “threats to consumer privacy and data security often require the cooperation of numerous law enforcement agencies around the world” and adding that “it is critical that we work closely with our international partners abroad, as well as our federal, state and local partners here at home.”

So now the FCC has joined the global stage and it has leadership focused on privacy.

In the U.S., the FTC is considered by many the leading U.S. privacy regulator. In a Perspectives post in October 2013, Steptoe & Johnson Partner Jason Weinstein, CIPP/US, wrote, “The FTC has made itself America’s de facto Data Protection Authority (DPA) through aggressive use of Section 5 of the FTC Act…”

That was followed just months later by Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US, who argued that state attorneys general (AGs) are also a major part of the U.S. privacy regulatory landscape. They argued that state AGs have less hurdles to face in regulation than the FTC, noting most “AGs have authority to protect privacy under their state unfair and deceptive trade practice statute…” They concluded, “Thus, rather than having one de facto DPA in the FTC, the U.S. actually has 50+ such DPAs.”

Well, we can surely add the FCC to this mix now.

“I think you’re going to see more cooperation and cross-jurisdiction between these two agencies,” said Hogan Lovells Partner Christopher Wolf of the FCC and FTC.

On Wednesday, Wolf told me, “Just because a company is directly regulated by the FCC does not mean all of its business activities are exempt from FTC scrutiny. The scope of the FTC Act Section 5 prohibition against deceptive practices is broad. And likewise, the FCC has authority to protect privacy in certain ways even though the FTC is thought of as the leading federal privacy authority. Notably, FTC Commissioner Maureen Ohlhausen recently observed that the FTC is well-positioned to enforce net neutrality promises.”

Plus, in what seems like a game of privacy regulator musical chairs, the FTC on Tuesday announced it is suing AT&T under the deception prong of the FTC Act for promising users “unlimited” data plans and then subsequently “throttling” their accounts by slowing down service.

So the FTC is going after telcos and the FCC is pursuing violations of data privacy? Kind of seems like we’re in bizzaro world doesn’t it? Well, as we’re seeing with the GPEN and the work of commissioners coming out of Mauritius, regulators want to work together to regulate the vastly complicated digital world. We’ve seen other specific examples of regulators signing memorandums of understanding such as the one signed between the FTC and Ireland’s data protection commissioner in 2013 or the joint investigation of WhatsApp’s privacy policy by the Office of the Privacy Commissioner of Canada and the Dutch DPA earlier in 2013.

I asked Wolf about the other, newer, regulator in the U.S.: the Consumer Financial Protection Bureau (CFPB) and where it fits into all of this.

“For a wide range of financial service companies, the CFPB is another regulator to be reckoned with,” he said. “One can imagine a company being subject to the jurisdiction of the FTC, FCC and CFBP—a trifecta of regulators.”

Not to mention those 50 state attorneys general, of course.

Expect to see more coordinated enforcement efforts, increased scrutiny and maybe a little saber-rattling. No regulator wants to be known as the pushover, right?

Clearly the US regulatory agencies, especially the FTC and more recently the FCC, are taking a proactive and assertive line in privacy regulation.  Within its jurisdiction the FTC has been very active and quite high profile.  The comparison with Australia is stark even taking into account the differing systems.  The FTC sees the benefit and necessity in high profile enforcement action to send a message to the market about the importance of compliance.  The Privacy Commissioner appears to be focused on education above regulatory action.  Perhaps this was understandable when there were few enforcement powers under the Privacy Act pre March 2014 but now it is mystifying.  And it is not like there is a lack of opportunity to take action.  There remains a poor culture relating privacy, a continuing belief that there is low risk in regulatory action being taken and a general ignorance of obligations under the Privacy Act.

One Response to “US Federal Communications Commission announces largest enforcement action for poor data security practices”

  1. US Federal Communications Commission announces largest enforcement action for poor data security practices | Australian Law Blogs

    […] US Federal Communications Commission announces largest enforcement action for poor data security pra… […]

Leave a Reply