On October 24, 2014, the Federal Communications Commission (“FCC”) announced that it intends to fine two telecommunications companies $10 million for storing confidential personal information of up to 305,000 customers in a manner that was publicly accessible on the Internet. The FCC’s Enforcement Bureau maintains that the security breach, noncompliance with the companies’ privacy notices, and failure to notify customers of the breach violates Sections 201(b) and 222(a) of the Communications Act of 1934 (as amended).

According to the FCC report, TerraCom, Inc. and YourTel America, Inc. are related corporate entities that provide “Lifeline” telecommunications services. Lifeline is a government program that makes available discounted phone services to low-income residential customers under federal assistance programs. In order to qualify for the Lifeline service, applicants submitted their confidential information (including Social Security numbers, driver’s licenses and tax returns) on the companies’ websites, which were hosted on the same servers. In early 2013, an investigative reporter for Scripps ran a Google search that turned up customer information from the servers. By shortening the URL, Scripps was able to access the parent directory and download over 100,000 confidential records and documents. Scripps informed the companies about its discovery and, in May 2013, the companies reported the breach to the FCC.

In concluding its investigation, the FCC seeks to fine the companies for violating the Communications Act, particularly the “duty to protect the confidentiality of proprietary information of … customers” (47 U.S.C. § 222(a)), and the requirement to implement “practices” that are “just and reasonable” (47 U.S.C. § 201(b)). The FCC contends that these laws were violated by (i) a failure to properly protect confidential consumer information; (ii) a lack of reasonable data security practices; (iii) deceptive and misleading practices by failing to comply with their public privacy notices; and (iv) unjust and unreasonable practices by not informing consumers of the data breach.

The FCC’s decision was applauded in separate statements by Chairman Tom Wheeler and Commissioner Mignon Clyburn. In dissent, Commissioner Ajit Pai stated that the fine was inappropriate because the FCC never before adopted rules or otherwise interpreted the Communications Act to impose an enforceable duty on carriers to employ reasonable data security practices to protect consumer information. Commissioner Michael O’Rielly also dissented, questioning the FCC’s authority to act as well as agreeing with Commissioner Pai that the FCC did not provide fair notice of liability under the Communications Act for such conduct.

This is the FCC’s first data security case and the largest privacy action in its history. It is also the FCC’s second significant enforcement action on privacy violations in the last two months, following a $7.4 million settlement with a major telecommunications carrier over its marketing practices.

For a copy of the FCC’s decision, press release and Commissioner statements, please click here.

Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.