Caveat Vendor
FCC Enters New Area of Privacy and Data Security Regulation with Proposed $10 Million Fine
By Matt Gibson
In a split vote last Friday, the Federal Communications Commission (FCC or Commission) invoked a seldom-used provision of the Communications Act and
Background
According to the FCC, TerraCom and YourTel are telecommunication carriers that offer wireless, voice and data services in various states and US territories. Beginning in 2012, the companies (which have common shareholders and key managers) began to offer reduced-cost services to qualifying low-income individuals under the FCC’s Lifeline program. Under the FCC’s Lifeline regulations, the companies were required to verify applicants’ eligibility for the Lifeline service – a process that entailed collecting various types of personal information, including address, date of birth, Social Security Number, driver’s license or state ID card information, and financial information.
In last Friday’s
The FCC’s Investigation and Proposed Fine
The companies notified the FCC of the Scripps reporter’s actions, and, shortly thereafter, the FCC’s Enforcement Bureau launched an investigation, which culminated with the adoption of the NAL. After determining that that the companies may have exposed the personal information of up to 305,000 consumers, the FCC found the companies apparently liable for violating their obligation under the Communications Act to “protect the confidentiality of proprietary information of, and relating to . . . customers” in four ways:
By allegedly failing to protect the confidentiality of personal information collected from Lifeline applicants;
By allegedly failing to employ reasonable data security practices;
By allegedly engaging in deceptive and misleading practices when the companies stated in their privacy policies that used appropriate technologies to protect personal information; and
By allegedly failing to notify consumers of the breach of the companies’ security.
Although the FCC identified four apparent violations of the Communications Act, in a footnote, the agency explained that the proposed $10 million fine does not cover the companies’ alleged failure to provide breach notifications, as this was the first time in which the FCC has determined that a carrier’s failure to notify consumers of a security breach is a violation of the Communications Act.
Possible Next Steps
Based on the size of the fine and the FCC’s
Most notably, both dissenting commissioners fault the majority’s choice to use an enforcement action to establish a new regulatory policy. Although Congress has clearly authorized the FCC to regulate telecommunications privacy issues to some degree, according to Commissioners Pai and O’Rielly, the NAL represents such a stark departure from the agency’s prior reading of the Communications Act that the Commission should have first solicited public comment on its new, expansive interpretation of its authority in this area.
Commissioner O’Rielly goes further and questions the fundamental premise that the Communications Act authorizes the FCC to regulate data security issues in this manner. In his
Because of the companies’ ability to challenge the NAL, the ultimate outcome of the TerraCom proceeding is unclear at this point. At the very least, however, the TerraCom NAL serves as a notice to the telecommunications sector that the FCC is becoming and active privacy and data security regulator – and it isn’t afraid to develop new and creative ways to test the limits of its authority.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.