Print

The Federal Communications Commission (“FCC”) announced on October 24 that it is seeking $10 million in fines from two telecommunications providers, TerraCom, Inc. and YourTel America, Inc. The FCC asserts in its action that both companies are guilty of “data negligence.”

In a press release the FCC announced that it was seeking these fines as a result of the violation of the Communications Act of 1934. Apparently both companies collected and stored customer social security numbers and other potentially sensitive information on servers that were inadequately protected from invasion. The collected information included names, addresses and driver’s licenses for over 300,000 consumers. The October 24th announcement by the FCC does not indicate how they learned of the asserted breach or of the methods used by the two companies in storing their electronic customer data.

The press release states, “This is the Commission’s first data security case and the largest privacy action in the Commission’s history.” The FCC focused on the data protection policies of both companies when taking action and assessing the fine. According to the FCC, both companies had a privacy policy that stated in part that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.”  To the contrary, all of this personally sensitive information was accessible through the internet and readable by anyone who cared to look for it.

In addition, the FCC asserts, when the companies were notified of the deficiencies in their data protection systems, “they failed to notify all potentially affected consumers, depriving them of any opportunity to take steps to protect their personal information from misuse by Internet thieves.” This failure to reasonably secure personally sensitive customer information constitutes a violation of the companies’ statutory duties.

Both the lax security measures and the companies’ failure to notify affected consumers were considered statutory violations. The FCC stated “when carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”

This enforcement action by the FCC leaves open a number of related questions. Will other regulated industries face similar enforcement actions by their respective regulators? The Securities and Exchange Commission has previously launched an investigation into data security. Will the federal regulators become the data watchdogs for cybersecurity? Will the regulators be compelled to issue compliance regulations that could be viewed as safe harbors from prospective enforcement actions? Will there be any coordination between the federal regulatory agencies on the issuance of compliance standards and a minimum standard for enforcement?

Stay tuned…