On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC, the Companies did not properly secure the personal information collected from applicants of the Lifeline program, which is designed to help low-income individuals and families receive communications services. The names, addresses, Social Security numbers, and other personal information of the applicants were stored on a server maintained by a third-party service provider that was publicly accessible from the Internet. A reporter discovered the consumer information using a Google search and notified the Companies, who in turn notified the FCC. The FCC also alleged that both Companies failed to notify all of the potentially affected consumers of the breach.
The FCC conducted an inquiry and charged the two Companies with four violations under the Communications Act of 1934, Sections 201(b) and 222(a):
- A violation under Section 222(a) for failing to protect the confidentiality of personal information that consumers provided to demonstrate their eligibility for the Lifeline program;
- A violation under Section 201(b) for failing to employ reasonable data security practices to protect consumers’ personal information;
- A violation under Section 201(b) by representing in the companies’ privacy policies that they protected consumers’ personal information, when in fact they did not; and
- A violation under Section 201(b) by failing to notify all consumers whose personal information could have been breached by the companies’ inadequate data security.