United States: US FCC Enforcement Action Represents Unprecedented Expansion Of The Agency’s Authority Over Data Security

Last Updated: October 28 2014
Article by Howard W. Waltzman and Lei Shen

The US Federal Communications Commission (FCC) is asserting unprecedented authority to regulate data security matters with its recent action against two telecommunications carriers for failing to protect customers' personal information from unauthorized disclosure. The FCC issued a Notice of Apparent Liability for Forfeiture (NAL) against TerraCom, Inc., and its affiliate, YourTel America, Inc. (collectively, the "Companies"), for failing to adequately protect consumers' information from disclosure, and fined the Companies a record $10 million. The action is the FCC's first major case involving data security, a subject matter typically overseen by the Federal Trade Commission (FTC). More importantly, the case involves the data security of non-call-related information, which introduces a potential overlap with the FTC's jurisdiction and the risk of dual, and even conflicting, regulation.

Background

The Companies are common carriers that provide telecommunications services to low-income customers as part of the Universal Service Fund's Lifeline program. In order to demonstrate customers' eligibility for the Lifeline program, the Companies collected sensitive personal information, such as name and address, date of birth, Social Security Number and driver's license or state ID number. The Companies then allegedly stored the information on unprotected Internet servers in publicly accessible folders without password protection or encryption. Scripps Howard News Service discovered the breach when it found that the customers' sensitive data files could be located with a simple Google search and basic URL manipulation. The FCC claims that the personal data of up to 305,000 consumers was potentially breached between September 2012 and April 2013.

In the NAL, the FCC charged the Companies with various violations of the Communications Act of 1934 (the Act). Specifically, the FCC alleged that the Companies violated: (i) Section 222(a) of the Act for failing to protect the confidentiality of consumers' proprietary information; (ii) Section 201(b) of the Act by failing to employ reasonable data security practices to protect consumers' proprietary information; (iii) Section 201(b) of the Act by falsely representing in their privacy policies that they protected such information; and (iv) Section 201(b) of the Act by failing to notify all customers whose information could have been breached.1

Section 222(a) Violation

While the FCC has rules governing data breaches, they are limited to breaches of customer proprietary network information (CPNI). Section 222 of the Act, which also governs a carrier's use and disclosure of CPNI, defines CPNI as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and ... information contained in the bills pertaining to ... service received by a customer of a carrier ...."

Typically, the subsections of Section 222 have been read in conjunction with each other to describe a carrier's obligations with respect to CPNI―with subsection (a) setting forth the entities to which Section 222 applies, and the subsequent subsections providing more specificity on how carriers may use or disclose CPNI. The FCC has not previously promulgated rules interpreting the definition of "proprietary information" in subsection (a) differently than the definition of CPNI.

In the NAL, however, the FCC expanded the scope of subsection (a) to go beyond CPNI and encompass any proprietary information. Section 222(a) of the Act states that carriers have a duty "to protect the confidentiality of proprietary information of, and relating to ... customers." In the NAL, the FCC argued that the reference to "proprietary information" in Section 222(a) covered "all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy." The term proprietary information, according to the FCC, "broadly encompasses such confidential information as privileged information, trade secrets, and personally identifiable information."

As part of its reasoning for this interpretation, the FCC relied on the inclusion of the word "privacy" in two section headings as a source of authority – first in the section heading for Section 222 and again in the heading for Section 222(c)(1). In addition, the FCC pointed out that, although Section 222(c)(1) refers to CPNI specifically, it is titled "Privacy requirements for telecommunications carriers," therefore, the term "clearly encompass[s] private information that customers have an interest in protecting from public exposure." Commissioner O'Reilly disagreed with the FCC drawing authority from the headings, and, in his dissent, commented "If the Commission can invent new authority based on the 'Privacy of Customer Information' heading of section 222, I can only imagine what it could do with the heading of section 215: 'Transactions Relating to Services, Equipment, And So Forth.'"

Section 201(b) Violations

Section 201(b) of the Act generally requires telecommunication carriers' practices to be "just and reasonable." Specifically, Section 201(b) states that "[a]ll charges, practices, classifications, and regulations for and in connection with [interstate or foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful."

In the NAL, the FCC broadly interpreted its authority to regulate "unjust and unreasonable" practices to cover a telecommunication carrier's data security practices. It alleged that the Companies violated Section 201(b) and engaged in "unjust and unreasonable" practices by: (i) failing to employ reasonable data security practices to protect their customers' personal information, (ii) misrepresenting in their privacy policies that they protected customers' personal information, and (iii) failing to notify all customers whose personal information could have been breached by the Companies' lax security practices.

The FCC cited the failure to implement certain data security practices as an example of the Companies' "unjust and unreasonable" practices. For example, the FCC pointed to the Companies' lack of encryption for their customers' personal information. The FCC argued that, because carriers have an existing statutory obligation to use reasonable steps to protect their customers' CPNI, which could include the use of encryption, the lack of encryption "clearly evidences the unjust and unreasonable nature of the Companies' data security practices." The Companies also used random URLs to protect their customers' personal information, which the FCC argued the Companies "knew or should have known" provide inadequate security.

In addition, the Companies' privacy policies either expressly represented or implied that they employed reasonable security measures to protect consumers' private information. For example, TerraCom's privacy policy stated "TerraCom Wireless has implemented technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use and will continue to enhance its security measures as technology becomes available." The FCC found these misrepresentations to be a "deceptive practice" that was "unjust and unreasonable" in violation of Section 201(b). The FCC's assertion of authority over "deceptive" data security practices is strikingly similar to the FTC's authority over "unfair or deceptive acts or practices" under Section 5 of the FTC Act.

Moreover, the FCC found that, because the Companies only notified 35,000 of the more than 300,000 people whose data was possibly compromised by the breach, this notification "of anything less than all potentially affected consumers" was unjust and unreasonable in violation of Section 201(b).

Conclusion

The FCC's action raises several concerns. First, its expansive interpretation of what constitutes "proprietary information" under Section 222(a) is being adopted as part of an enforcement action, rather than in the context of an industry-wide rulemaking subject to notice and comment. Such a seismic shift in the scope of Section 222 raises many issues that warrant consideration in a open, public proceeding. As Commissioner Pai noted "an agency cannot at once invent and enforce a legal obligation."

Second, the FCC is interpreting "proprietary information" to far exceed the scope of CPNI. By including Social Security and Driver's License numbers, in addition to other information, within the bounds of its authority, the FCC is asserting authority over information that has no bearing upon the call-specific information that served as the genesis of Section 222. The FTC has focused for quite some time on protecting Social Security numbers and other information the disclosure of which could result in identity theft, and it is not clear why the FCC would claim expertise over such information just because such information is possessed by a telecommunications carrier.

While issues related to the FTC's common carrier exemption would need to be addressed, the FTC would seem to be the more logical agency to protect such information. In the interim, the FCC's action could create a compliance nightmare if the FCC interprets data security and breach notification obligations in a manner that conflicts with FTC-related requirements.

Third, if the FCC is able to claim that its authority over "unjust and unreasonable" practices includes data security breaches, then there appear to be few limiting factors as to what constitutes a practice "for and in connection with" a communications service under Section 201(b). Commissioner O'Reilly commented in his dissent that "I am noticing a disturbing trend at the Commission where, in the absence of clear statutory authority, the Commission suddenly imbues an innocuous provision of the Act with tremendous significance in order to meet its policy outcome."

1 1 See Federal Communications Commission, Notice of Apparent Liability for Forfeiture, In the Matter of TerraCom, Inc. and YourTel America, Inc., Oct. 24, 2014, at page 5.

Learn more about our Privacy & Security practice.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2014. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions