FCC Signals Seriousness of Data Protection by Imposing Record $10 Million Fine on TerraComm, YourTel America
By Mark Del Bianco
In a notice of apparent liability (NAL) adopted on Oct. 24, the FCC imposed strict new requirements on telecom carriers to protect the personal information (PI) of their customers. The FCC found that sister companies TerraCom Inc. and YourTel America Inc. collected names, addresses, Social Security numbers, driver’s licenses and other PI and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation. The companies outsourced their back-office and data protection functions to an Indian company, which stored the PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.
The FCC concluded that the companies willfully and repeatedly violated Sections 201(b) and 222(a) of the Communications Act when they allegedly: (i) failed to properly protect the confidentiality of consumers’ PI they collected from applicants for the Companies’ wireless and wired Lifeline telephone services; (ii) failed to employ reasonable data security practices to protect consumers’ PI; (iii) engaged in deceptive and misleading practices by representing to consumers in the Companies’ privacy policies that they employed appropriate technologies to protect consumers’ PI when, in fact, they had not; and (iv) engaged in unjust and unreasonable practices by not fully informing consumers that their PI had been compromised by third-party access. The FCC proposed a forfeiture of $10,000,000, the largest in its history for violations related to data protection.
The companies’ woes are not over. The NAL makes clear that there are also ongoing state investigations of the companies’ actions. We may soon see the other shoe drop as states impose punishments of their own.
The NAL is not an agency regulation applicable to all telecom carriers, but it certainly is an indication of the FCC’s new enforcement priorities. Since 2013, the FCC has hired a new Enforcement Bureau chief and a number of lawyers who are former assistant U.S. attorneys. They have brought a prosecutorial outlook to the Bureau and, to put it bluntly, are looking for scalps to hang on their walls.
This decision should be a wake-up call for all telecom carriers to examine their own policies and operations immediately. They need to make understand what PI they collect and maintain, where and how it is stored and protected, and how it is used. They also need to make sure that their privacy policies are clear and are consistent with the way that they actually collect, protect and use PI data. Perhaps most importantly, they need to understand that outsourcing responsibility for any part of their data protection duties is impossible; they will be liable for whatever their contractors or partners do or fail to do. In most cases, analyzing all these risks will require the involvement of outside counsel experienced in privacy issues.
It is too early to say exactly what this NAL means for cloud services providers going forward. The companies involved here were telecom carriers, not cloud services providers. As carriers, they are subject to the Commission’s jurisdiction and to the privacy provisions of the Communications Act. Many cloud services providers are not telecom carriers and thus are not subject to the Act or the FCC’s jurisdiction. However, they are subject to the jurisdiction and privacy rules of the Federal Trade Commission (FTC). The FTC, like the FCC, is developing its privacy rules through the enforcement process and on a case by case basis. The FTC has been even more aggressive than the FCC in its enforcement actions. It is very likely that in a future case involving a cloud services provider, the FTC will look to the standards developed by the FCC in this case. Thus, cloud services providers (and resellers who are white-labelling cloud services) would do well to conduct a similar audit of their practices and take immediate steps to minimize potential risk.
Mark Del Bianco, principal, Law Office of Mark C. Del Bianco, is based in the metropolitan Washington, D.C., area. His practice focuses on domestic and international telecom clients, particularly those implementing new technologies such as WiMAX, gigabit Ethernet and FTTH. Other clients include applications providers, channel sales agents and enterprise customers. Del Bianco was a member of the 2013-14 Channel Partners Advisory Board.