On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.
Based on an investigation by the FCC’s Enforcement Bureau, TerraCom and YourTel allegedly maintained their customers’ sensitive information, including names, Social Security numbers, addresses and driver’s license numbers, on unprotected Internet servers that were accessible to the public. According to the FCC’s press release, this incident exposed the personal information of up to 305,000 consumers.
The FCC asserts that the carriers’ failure to reasonably secure their customers’ data violates their statutory obligation under the Communications Act of 1934 to protect personal information, and “constitutes an unjust and unreasonable practice in violation of the Act.” According to the FCC’s press release, the data security practices of these two companies lacked “even the most basic and readily available technologies and security features,” which created an “unreasonable risk of unauthorized access.” In addition, the FCC asserts that, even after becoming aware of the data security issue, the companies failed to notify affected customers, which also constitutes an unjust and unreasonable practice.
According to Travis LeBlanc, Chief of the FCC’s Bureau of Enforcement, “[c]onsumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world.” He added that “[w]hen carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”
FCC Commissioner Agit Pai issued a dissenting opinion accusing the FCC of running afoul of the fair warning rule by asserting that “these companies violated novel legal interpretations and never-adopted rules,” and seeking to impose a “substantial financial penalty.” Commissioner Pai noted that he “cannot support such ‘sentence first, verdict afterward’ decision-making.”