Haynes and Boone, LLP
  October 29, 2014 - United States of America

FCC Brings its First Data Breach Enforcement Action
  by Emily Westridge Black, Timothy Newman, Phong Tran

The Federal Communications Commission (“FCC”) is the latest government agency to make a foray into data breach enforcement, proposing a $10 million fine against two telecommunications carriers for failing to protect the personal information of up to 305,000 consumers. In light of this development, companies regulated by the FCC must now be alert to potential liability to the FCC for failing to secure consumers’ “proprietary information” (“PI”). In this alert, we discuss the potential ramifications of this enforcement action and discuss best practices that a company may implement to avoid liability.


Background

The FCC brought the enforcement action against two telecommunications companies, Terracom, Inc. and YourTel America, Inc. (collectively, the “Companies”), which provide telecommunications services to low-income residential customers as part of the federal Lifeline program. To enroll in this program, potential customers must demonstrate eligibility by submitting their personal information to the Companies. Each applicant was required to submit information such as the applicant’s name, address, date of birth, social security number, and driver’s license information.


The FCC alleges that between September 2012 and April 2013, applicants’ information was stored on data servers that were publicly accessible via the Internet. An investigative reporter made the discovery in early 2013. Over a period of approximately one month, the reporter was able to access at least 128,066 confidential records by using a simple Google search to locate a consumer’s data file and then shortening that file’s URL to gain access to the entire directory of consumer data.


The FCC Enforcement Action

The FCC is asserting authority to regulate cybersecurity in this instance under the Communications Act of 1934 (the “Act”). Under the Act, the FCC is tasked with regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, § 503(b)(1) of the Act grants the FCC authority to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.”


Acting under this authority, the FCC charged the Companies with violations of Sections 222(a) and 201(b) of the Act. Under § 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . . . customers.” Correspondingly, § 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to customers’ PI. Specifically, the FCC alleged that the Companies violated:

(1) § 222(a) for failing to protect the confidentiality of PI that consumers provided for Lifeline enrollment; 
(2) § 201(b) for failing to employ reasonable data security practices to protect consumers’ PI; 
(3) § 201(b) for misrepresenting in their privacy policies that they employed reasonable security measures to protect customers’ PI; and 
(4) § 201(b) for failing to notify all affected customers.


In finding that the Companies had a duty under § 222(a) to protect the confidentiality of their customers’ PI, the FCC adopted the view that “proprietary information” should be broadly interpreted “as clearly encompassing private information that customers have an interest in protecting from public exposure.” According to the FCC, “proprietary information” includes “such confidential information as privileged information, trade secrets, and personally identifiable information.” Consequently, the FCC concluded that the information gathered by the Companies fell within the statutory protections of § 222(a).


The FCC rejected the Companies’ argument that a duty to protect PI does not arise until an applicant actually becomes a subscriber. Noting that applicants “have a reasonable expectation that the carrier will protect the confidentiality of the PI they provide as part of that transaction,” the FCC interpreted “customer” to include applicants as well as subscribers of a telecommunications service, adopting the broader of the two potential interpretations.


Accordingly, the FCC concluded that the Companies breached § 222(a) because they
 failed to provide even the most basic security measures to protect consumers’ PI. The Companies’ alleged failure to implement these security measures exposed their customers to potentially substantial injury such as identity theft and other harms.


The FCC also found that the Companies violated § 201(b). More specifically, they:


In exercising its forfeiture authority under § 503(b)(1), the FCC noted that the “protection of consumer PI is a fundamental obligation of all telecommunications carriers.” Accordingly, the FCC proposed a $10 million fine for the Companies’ conduct. The Companies have 30 days from the date of the notice to seek a reduction of the fine.


Takeaways

In light of the FCC’s foray into data breach enforcement, companies regulated by the agency should review their current data security practices. Among other things, companies should:



A copy of the FCC’s Notice of Apparent Liability against Terracom, Inc. and YourTel America, Inc. can be found
here.

If you have any questions, contact:

Ronald W. Breaux
214.651.5688
[email protected]

Emily Westridge Black
512.867.8422
[email protected]

Gavin D. George
214.651.5148
[email protected]

 

 

Timothy Newman
214.651.5029
[email protected]







Read full article at: http://www.haynesboone.com/fcc-brings-first-data-breach-enforcement-action/