FCC Imposes Record-Breaking Security Breach Fines

The FCC takes a seat at the cyber-regulation table (Cyber Risk Network, 8 Dec 2014) – The FCC recently slid up its chair to the fiscal feast that is cyber security and data breach regulation and took a hefty piece of the pie. In late October the FCC announced that it charged a record $10 million fine against two telecommunication companies after the telecoms reportedly posted the private information of nearly 300,000 people in a manner making the people eligible for identity theft. Taking a cue from the Federal Trade Commission (“FTC”), the FCC action was not based on any new set of concrete regulations or laws established to give organizations a minimum bar for data protection, but rather on existing FCC powers established under the Communications Act of 1934. The action serves as good warning not only to communications providers that the FCC will be examining data breaches and, more expressly, data storage issues, but also that in the absence of clear cybersecurity regulations, federal agencies will take an expansive view of their existing authority to address cybersecurity-related incidents involving companies subject to their jurisdiction. Similar to the FTC’s response, the FCC’s first foray into data beach regulation was born from its interpretation of its existing authority under the Communications Act of 1934 (the “Act”). Under the Act, the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, under 503(b)(1) of the Act, the FCC is authorized to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.” As the FCC described in its Notice of Forfeiture, that is exactly what two companies did, YourTel America and TerraCom Inc., when they collected the data of up to 300,000 customers to determine eligibility for the FCC’s low-income discount phone program, “Lifeline.” In order to enroll, potential participants had to demonstrate eligibility by submitting personal information to the Companies, including the applicant’s name, address, date of birth, social security number, and driver’s license information. Between September 2012 and April 2013, the FCC alleges that applicants’ information was stored on data servers that were publicly accessible via the Internet, a fact made known to the FCC after reporters from the Scripps Howard News Service advised the FCC that they were able to access at least 128,066 confidential records by using a simple Google search. Acting under the authority provided by the Communications Act, as amended by the Telecommunications Act of 1996 , the FCC charged the Companies with violations of Sections 222(a) and 201(b) Under 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . .. customers.” Similarly, 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to its “practices,” such as, in this case, holding customers’ “proprietary information.”


Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/SergeBerstasiusPhotography