It's a sure sign that the tide on privacy and security enforcement has turned when the Federal Communications Commission (FCC), not one known to take enforcement actions in the data privacy and security space, fines two telecoms for $10 million dollars. On Friday, October 24, 2014, the FCC issued a Notice of Apparent Liability for Forfeiture (Notice) against TerraCom, Inc. and YourTel America, Inc., levying, in a 3-2 vote, a fine against the two companies for failing to protect the "proprietary information" of low income Americans.[1]
The issue was brought to light when, in 2013, a reporter from the Scripps Howard News Service discovered that the companies were storing the information in an unsecured manner and, over the period of several days, Scripps' reporters accessed 128,066 documents. When the news service brought the issue to the attention of the two companies, the companies sent a cease and desist letter to Scripps calling the reporters "hackers".[2] The companies notified the FCC Enforcement Bureau on May 7, 2013 regarding the incident "claim[ing] that the Companies were victims of a security breach."[3] The FCC alleges that the companies exposed the proprietary information of more than 300,000 consumers. The FCC found that the companies violated Sections 201(b) and 222(a) of the Communications Act of 1934 as well as FCC Rules when they:As the opening paragraph of the Introduction explains: Today, we take action against two companies that collected names, addresses, Social Security numbers, driver's licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation. The companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.[4] (i) failed to properly protect the confidentiality of consumers' PI they collected from applicants for the Companies' wireless and wired Lifeline telephone services;
In its action, the FCC explains, TerraCom and YourTel "apparently willfully and repeatedly" violated their duties under Section 222(a) of the Communications Act of 1934, which requires carriers "to protect the confidentiality of proprietary information of, and relating to . . . customers."[8] The FCC further notes that, "[t]he Commission has made clear that section 222(a) requires carriers to take every reasonable precaution to protect the confidentiality of proprietary or personal customer information and that it was committing to taking resolute enforcement action to ensure that the goals of section 222 are achieved."[9] While declining to adopt the NIST definition of personally identifiable information, the Commission found it instructive in formulating its definition of proprietary information and read the definition of proprietary information broadly: In the context of Lifeline service at issue here, "proprietary information" includes all documentation submitted by a consumer or collected by an ETC to determine a consumer's eligibility for Lifeline service, as well as all personally identifiable information contained therein. Specifically, information such as a consumer's (i) first and last name; (ii) home or other physical address; (iii) email address or other online contact information, such as an instant messaging screen name that reveals an individual's email address; (iv) telephone number; (v) Social Security Number, tax identification number, passport number, driver's license number, or any other government-issued identification number that is unique to an individual; (vi) account numbers, credit card numbers, and any information combined that would allow access to the consumer's accounts; (vii) Uniform Resource Locator ("URL") or Internet Protocol ("IP") address or host name that identifies an individual; or (viii) any combination of the above, constitutes "proprietary information" protected by Section 222(a).[10] This broad reading is consistent with the approach taken by the Health Insurance Portability and Accountability Act (HIPAA) in its definition of protected health information as well as the definitions of personally identifiable information adopted by more recent state data breach laws, such as the Florida Information Protection Act of 2014. Interestingly, in assessing consumer expectations, like the Federal Trade Commission, the FCC also looked at the promises the telecoms made in their privacy policies, noting specifically that: The Companies' privacy policies assure those persons submitting"[c]ustomer specific information" through their website that they will protect that information and, in fact, inform such applicants that"[b]y providing us with your information, you acknowledge that you have read this privacy policy, understand it, agree to its terms and consent to the transfer of such information outside your resident jurisdiction.[11]Therefore, the telecoms set certain expectations in the minds of their consumers that they failed to meet. Further, the FCC found that TerraCom and YourTel violated Section 201(b) of the Communications Act of 1934, because their "failure to protect and secure the PI of their customers . . . constitute[d] an unjust and unreasonable practice."[12] Unreasonable Data Privacy and Security Practices According the FCC, the "evidence shows that the Companies' security measures lacked even the most basic features to protect consumers' PI."[13] The FCC noted the following practices as being unreasonable:
The FCC also found it troubling that the companies only notified 35,129 consumers of the potentially 300,000+ that were impacted. The telecoms argued that they followed the state data breach laws for each of the individual states, but the FCC found the "failure to notify all affected consumers of the breach unjust and unreasonable because it left consumers ignorant about the risks of identity theft problems that may occur due in whole or part to the breach-a problem made even more troubling in light of the Companies' admission that they do not know the extent or breadth of the breach."[18] ------------------------------------------- [1] FCC, In the Matter of TerraCom, Inc. and YourTel America, Inc., File No.:EB-TCD-13-00009175, FRNs:0010103745 and 0020097572 (Oct. 24, 2014), https://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A1.pdf. [2] Id. at para 6-7. [3] Id. at para 8. [4] Id. at para 1 (emphasis added). [5] Id. at para 3. [6] Id. at para 5. [7] Id. [8] Id. at para 13. [9] Id. (internal quotations and citations omitted.) [10] Id. at para 19. [11] Id. at para. 25. See also the discussion starting in para. 36. [12] Id. at para. 31. [13] Id. at para. 29. [14] Id. [15] Id. [16] Id. at para. 33. [17] Id. at para. 32. [18] Id. at para. 39. ------------------------------------------- Posted by Tatiana Melnik on October 27, 2014. |