The Federal Communications Commission (FCC) recently fined Cox Communications, Inc. (Cox) $595,000 for failing to properly protect its customers’ personal information related to a 2014 data breach. In the November 5, 2015, FCC order, the FCC stressed the importance of protecting cable and satellite consumers’ personal information and the consequences of failing to protect such information. This may be a signal that the FCC is ready to be more vigilant against cable and satellite service providers for data breaches.

Cox’s electronic data systems were breached in August 2014 when a hacker pretended to be from Cox’s IT department and convinced a Cox customer service representative and a Cox contractor to provide their Cox IDs and passwords to a fake website controlled by the hacker. With these Cox IDs and passwords, the hacker then gained access to personal data of Cox’s current and former customers, including their name, home addresses, email addresses, phone numbers, partial social security numbers, and partial license numbers. The hacker then posted some of this personal information on social network sites, changed the passwords of some customers, and shared some customers’ personal information with another hacker.

As part of the settlement with the FCC, Cox agreed to improve its privacy and data security practices, including designating a senior corporate manager, who is a certified privacy professional, to:

• oversee compliance with the consent decree,
• conduct privacy risk assessments,
• implement a written information security program,
• maintain a reasonable oversight of third-party vendors,
• implement a better data breach response plan, and
• provide privacy and security awareness training to employees and third-party vendors.

Over the last year, we have seen the Securities and Exchange Commission address cybersecurity in addition to the U.S. Court of Appeals for the 3rd Circuit’s holding that the Federal Trade Commission has the authority to regulate cybersecurity for American businesses and corporations. In addition to the FCC’s fines against telecommunications providers, this action brought by the FCC provides the latest example in a long line of government agencies having to regulate emerging issues concerning data security.

The post The First Cable Operator to Be Targeted by the FCC for Data Breach Settles for $595,000 appeared first on Privacy Risk Report.

The Federal Communications Commission (“FCC”) announced on October 24 that it is seeking $10 million in fines from two telecommunications providers, TerraCom, Inc. and YourTel America, Inc. The FCC asserts in its action that both companies are guilty of “data negligence.”

In a press release the FCC announced that it was seeking these fines as a result of the violation of the Communications Act of 1934. Apparently both companies collected and stored customer social security numbers and other potentially sensitive information on servers that were inadequately protected from invasion. The collected information included names, addresses and driver’s licenses for over 300,000 consumers. The October 24th announcement by the FCC does not indicate how they learned of the asserted breach or of the methods used by the two companies in storing their electronic customer data.

The press release states, “This is the Commission’s first data security case and the largest privacy action in the Commission’s history.” The FCC focused on the data protection policies of both companies when taking action and assessing the fine. According to the FCC, both companies had a privacy policy that stated in part that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.”  To the contrary, all of this personally sensitive information was accessible through the internet and readable by anyone who cared to look for it.

In addition, the FCC asserts, when the companies were notified of the deficiencies in their data protection systems, “they failed to notify all potentially affected consumers, depriving them of any opportunity to take steps to protect their personal information from misuse by Internet thieves.” This failure to reasonably secure personally sensitive customer information constitutes a violation of the companies’ statutory duties.

Both the lax security measures and the companies’ failure to notify affected consumers were considered statutory violations. The FCC stated “when carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”

This enforcement action by the FCC leaves open a number of related questions. Will other regulated industries face similar enforcement actions by their respective regulators? The Securities and Exchange Commission has previously launched an investigation into data security. Will the federal regulators become the data watchdogs for cybersecurity? Will the regulators be compelled to issue compliance regulations that could be viewed as safe harbors from prospective enforcement actions? Will there be any coordination between the federal regulatory agencies on the issuance of compliance standards and a minimum standard for enforcement?

Stay tuned…

The post FCC Seeks $10 Million in Fines for Consumer Data Breaches appeared first on Privacy Risk Report.