Communications Daily is a Warren News publication.
Both Republicans Dissent

FCC Intends to Hit Two Lifeline Providers With $10 Million Fine After Data Breach

­­The FCC proposed a joint $10 million fine for two carriers for allegedly failing to protect their phone customers' sensitive information. TerraCom and YourTel allegedly breached the personal data of up to 300,000 consumers “through their lax data security practices and exposed those consumers to identity theft and fraud,” the FCC said Friday in a public notice (http://bit.ly/1wmkB3C). They placed hundreds of thousands of their customers’ personal, sensitive information on the Internet, said Travis LeBlanc, Enforcement Bureau chief. The personal information the companies apparently failed to protect include Social Security numbers, names and addresses, and driver’s licenses, he said Friday during a teleconference with reporters.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Commissioner Ajit Pai criticized the decision, saying the agency invented and enforced a legal obligation. The adoption of the item resulted in the cancellation of a special FCC meeting that was to have been held Friday (see 1410200054). Both Pai and Commissioner Mike O'Rielly voted against the PN.

The companies collected the personal data to verify eligibility for the Lifeline program, LeBlanc said. But the carriers stored the information “without encryption or password protection, and on servers without protective firewalls,” he said. Identity theft is the fastest growing crime in the U.S., he said. The enforcement action “addresses one of the leading contributors to the crime of identity theft, namely deficient data security practices,” he said.

The action follows the $7.4 million settlement with Verizon for failing to notify customers of privacy rights before the company marketed their information (see 1409090031). The action against TerraCom and YourTel won’t be the last, said LeBlanc. “Today’s action serves as a warning to other carriers.”

TerraCom and YourTel are fully committed to protecting personal data of Lifeline applicants, said Dale Schmick, chief operating officer of both. They have rigorous privacy safeguards in place to prevent data from disclosure, he said in a statement. "When faced with this instance of unauthorized access, we fully complied with state laws regarding notification of affected consumers." TerraCom and YourTel took measures to increase data security technology, including the conducting multiple security audits "to prevent further breaches from taking place," he said.

The FCC “runs afoul of the fair warning rule,” Pai said in his dissent. It has never interpreted the Communications Act to impose an enforceable duty on carriers to employ reasonable data security practices to protect personally identifiable information (PII), he said. The commission has never adopted rules regarding misappropriation, breach or unlawful disclosure of PII, he said. The agency could have opened a notice-and-comment rulemaking, he said. Instead, the FCC “proposes a forfeiture today that, if actually imposed, has little chance of surviving judicial review,” he said.

The companies stored customers’ data on a foreign third-party vendor service between Sept. 30, 2012, and April 26, 2013, LeBlanc said. It was stored in two publicly accessible folders that lacked any password protection or encryption, he said. The carriers’ privacy policies also promised consumers that they implemented security features to safeguard privacy, Le Blanc said. But “they had not,” he said.

The rule requires Lifeline providers to destroy documentation “as soon as practical,” LeBlanc said. They must keep a record of the evidence that they reviewed to determine eligibility, “so there was nonetheless an ability to look back and see what information they had available,” but the information was to be destroyed, he said.

Public Knowledge applauded the action. Consumers need to be able to trust that carriers “will respect their privacy and take reasonable steps to keep private information secure,” staff attorney Laura Moy said in a release (http://bit.ly/1t95hoC). With the FCC action, “we hope that carriers will see fit to reexamine their privacy practices to ensure that they are in full compliance with the law,” she said.