We have documented enhanced cybersecurity enforcement efforts by the U.S. Department of Health and Human Services, the Securities and Exchange Commission, the Treasury Department, and the Federal Trade Commission in prior posts. Now, the Federal Communications Commission (the “FCC”) is joining the concerted governmental effort to ensure that sensitive information remains protected and confidential. On October 24, 2014, the FCC announced its intent to fine two companies $10 million for allegedly lax information management practices. According to the FCC, the two companies, TerraCom Inc. and YourTel America, Inc., stored customer information, including names, addresses, and Social Security numbers in a publically accessible folder on the internet. The folder was not password protected nor was the information encrypted. According to the FCC, the companies’ security practices were “the practical equivalent of having provided no security at all.”
The FCC’s intent to enforce it cybersecurity provisions was made unmistakably clear in the Introduction to its October 24, 2014 Notice of Apparent Liability for Forfeiture (the complete FCC Notice can be seen here):
The Commission is committed to protecting the sensitive personal information of American consumers from misappropriation, breach and unlawful disclosure. Today, we take action against two companies that collected names, addresses, Social Security numbers, driver’s licenses, and
other proprietary information (PI) belonging to low- income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.
In addition to the lack of security controls, the FCC also found that the companies engaged in deceptive practices. Specifically, each company publically posted a privacy policy that indicated that each company “has implemented technology and security features to safeguard the privacy of . . . information from unauthorized access or improper use and will continue to enhance its security measures as technology becomes available.” In light of the lack of security measures, the FCC found the representations in each of the privacy policies were “false, deceptive, and misleading.”
In his statement about the fine, FCC Chairman Tom Wheeler stated that the FCC “cannot – and will not – stand idly by when a service provider’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.” Indeed, a $10 million fine is strong statement about the FCC’s stance on companies that do not adequately secure data.
If you have questions about regulations and laws applicable to information management protocols and safeguards, please contact Kenneth N. Rashbaum.
