On October 24, the Federal Communications Commission (FCC) slapped a $10 million fine against two telecom companies that allegedly stored personally identifiable customer data online without firewalls, encryption or password protection.
According to Travis LeBlanc, chief of the FCC’s enforcement bureau:
“Consumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the internet or otherwise expose it to the world. When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”
The offending companies were YourTel America and TerraCom. Both shared the same owners and management. From September 2012 to April 2013, the FCC said that the companies collected information online from applicants to Lifeline, the government’s telephone subsidy program for impoverished Americans. In order to prove their eligibility, potential customers are asked to provide their personal information, including Social Security numbers, dates of birth, addresses, names and drivers’ license numbers.
Acceptable practice would be to store this data in a secure manner, or destroy it after individuals’ eligibility was established. However, the FCC reported that the companies kept the information on publicly accessible internet servers. When reporters for the Scripps Howard News Service accessed the data through a simple Google search, they reported on the lax security measures and notified the FCC. Approximately 300,000 customers may have been affected in this event.
According to LeBlanc, the telecom companies “made their customers’ personal, sensitive information publicly accessible to all the world via the internet. This is unacceptable… Thisis the first data security enforcement action [by the FCC], but it will not be the last.”
The agency’s $10 million fine will be split between YourTel and TerraCom. A spokesman for the companies did not immediately respond to a request for comment.
Increasing Attention to Privacy
It’s about time that the FCC started paying more attention to privacy cases. This year has been punctuated by a number of high-profile data breaches, indicating both a real threat to consumers, as well as an enforcement opportunity for regulators. Thus far, the Federal Trade Commission (FTC) has been the agency to file most of the complaints against companies that have failed to safeguard their data. However, the FCC’s latest action – just its second privacy case in as many months, and the first dealing with data security – indicates that it may have a growing role for itself as a privacy regulator as well.
A Similar Situation
This is an interesting comparison to the recent $7.4 million settlement Verizon paid for its privacy violations. However, Verizon’s settlement was not legally a fine. Also, in that situation, it was more about what Verizon was doing with the data, in selling it to advertisers, rather than neglecting to secure it.
The Federal Communications Commission may be assuming a new role in data security litigation, as it levied a staggering $10 million fine against two telecom companies that allegedly stored personally identifiable customer data online, without firewalls, encryption or password protection.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Regulatory authorities – Federal Trade Commission (I.A.d.i.)
- Regulatory authorities – Federal Communications Commission (I.A.d.ii.)