The Federal Communications Commission (FCC) recently issued a joint fine to two related telecommunications companies in the amount of $10 million.
In its Notice of Apparent Liability and Forfeiture, the FCC stated that TerraCom, Inc. and YourTel America, Inc., two companies with common shareholders and key management employees, (the “companies”) stored 305,000 customers’ personal information online in a format that was accessible through internet search results. Specifically, the customers’ social security numbers, names, addresses, driver’s license numbers, and other sensitive information were open to the public from September 2012 to April 2013.
As its legal basis for issuing the fine, the FCC cites Sections 222(a) and 201(b) of the Communications Act of 1934, as amended. The specific violations are as follows:
- The companies violated Section 222(a) by failing to protect the confidentiality of personally identifiable information that consumers provided to the companies;
- The companies violated Section 201(b) by failing to employ reasonable data security practices to protect customers’ personally identifiable information;
- The companies violated Section 201(b) by falsely representing in their privacy policies that they protected customers’ personally identifiable information; and
- The companies violated Section 201(b) by failing to notify affected customers that their personally identifiable information was the subject of a breach.
After issuing the Notice, Travis LeBlanc, Chief of the FCC’s enforcement bureau stated “consumers trust that when phone companies ask for their social security number, driver's license and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world. When carriers break that trust, the commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices."
This is the second fine issued by the FCC in as many months. The first was levied against Verizon in September 2014 in the amount of $7.4 million. Based upon the two recent fines issued by the FCC, the comments from the Chief of the FCC’s enforcement bureau must be taken seriously. Not only does the FCC intend to hold communications companies responsible for data breaches, but, as demonstrated by the considerable fines, those companies can expect to be severely penalized, as well. To avoid such staggering penalties, at a minimum, companies must implement a comprehensive framework to protect personally identifiable information, create and employ a data breach response plan prior to when the inevitable breach occurs, and appoint a data breach response team to ensure quick and appropriate compliance with data breach laws and regulations.