Last Friday, the FCC announced that it intends to fine two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — a total of $10 million for failing to protect certain customer data. According to the FCC, the two carriers, which provide discount phone services to low-income individuals, posted customer “proprietary information” on unprotected Internet servers that were accessible by the public. The fine, approved by a 3-2 vote, represents the largest privacy action in FCC history, eclipsing a $7.4 million fine handed down to Verizon in early September for failing to provide customers with required notices about Verizon’s use of Customer Proprietary Network Information (“CPNI”).
TerraCom and YourTel America provide discounted phone services to low-income customers through Lifeline, a program administered as part of the Universal Service Fund. In order to verify customer eligibility for the program, the FCC found that both companies gathered sensitive proprietary information — including Social Security numbers, names, addresses, and driver’s license numbers — from applicants and customers. Apparently, both companies’ privacy policies stated that they utilized “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.” However, the FCC found that information regarding 305,000 customers was stored on publicly accessible Internet servers between September 2012 and April 2013, when reporters from Scripps Howard News Service inadvertently discovered the documents by running an internet search and alerted the companies. The FCC also found that the companies’ failure to promptly notify customers of the breach prevented them from taking steps to avoid identify theft.
The FCC’s action in this case is notable because it appears to mark the first time the agency has applied Section 222 rules designed to protect a specific category of customer data — CPNI — to activity that resulted in the public exposure a broader range of data (what the FCC referred to as “proprietary data”). The FCC’s action also is notable because it marks the first time the FCC has determined that a failure to adequately protect customer data amounts to an “unjust and unreasonable” practice in violation of Section 201(b) of the Communications Act. In this respect, the FCC’s action appears to create a standard similar to the FTC’s “Safeguards Rule,” which requires that companies take industry-appropriate steps to protect certain types of customer data. The FCC’s action also marked the first time the agency issued a proposed fine for a carrier’s failure to notify subscribers of a breach of their information.