FCC Proposes $10 Million Forfeiture for Carriers that Breached Consumer Privacy
FCC Proposes $10 Million Forfeiture for Carriers that Breached Consumer Privacy
Creates New Data Security Breach Notification Requirement and
Signals Intent to Vigorously Protect Data Security
On October 24, 2014, the FCC issued a Notice of Apparent Liability for Forfeiture (“NAL”) against two affiliated common carriers providing telecommunication services for allegedly failing to protect consumers’ personal information.
Overview. The FCC found the two carriers apparently liable for violating two separate provisions of the Communications Act, Section 222(a) and Section 201(b), by failing, among other things, to protect the confidentiality of proprietary information (“PI”) collected from Lifeline applicants and failing to notify customers whose PI was exposed to data security breaches.
Under Section 222 of the Communications Act, telecommunications carriers, and, since 2007, interconnected VoIP providers, are required to protect the confidentiality of “customer proprietary network information,” commonly known as “CPNI.” Section 201(b) prohibits common carriers from engaging in unjust and unreasonable practices.
In a departure from precedent, this NAL signals the FCC’s intent to bring enforcement actions with respect to a broader category of “proprietary information” and data security practices. The action is the latest in a series of high profile, high penalty enforcement actions brought by the FCC’s new Enforcement Bureau Chief.
Background. According to the NAL, the two carriers began to offer reduced-cost services to qualifying low-income individuals under the FCC’s Lifeline program. In 2013, an investigative reporter for Scripps Howard News Service (“Scripps”) discovered that they were storing PI and documents submitted by Lifeline service applicants on an unprotected Internet site. Over a one-month period in 2013 – March 24th to April 26th – Scripps reporters accessed over 128,000 confidential records and documents submitted for the carriers’ services by subscribers and Lifeline applicants through a simple Google search. Once it had located a single file, Scripps was able to obtain access to the entire directory of applicant and subscriber data by shortening that file’s URL. The data was collected by the carriers, but the documents that contained PI were stored in clear readable text on Internet-accessible servers run by a third-party vendor.
On April 26, 2013, Scripps alerted the two carriers that it had accessed the third-party servers and had retrieved the PI of subscribers and applicants stored there. The two carriers responded on April 30, 2013 by sending a “cease and desist” letter to Scripps, and, on May 7, 2013, by contacting the FCC’s Enforcement Bureau claiming to be victims of a security breach. The Enforcement Bureau then launched its investigation of the carriers’ activities with respect to their customers’ PI.
The NAL. In this NAL, for the first time, the FCC broadened its interpretation of PI to also encompass “private information that customers have an interest in protecting from public exposure.” Specifically, the FCC explained that the term “proprietary information” as used in Section 222(a) should be understood to mean more than just CPNI – which generally concerns a customer’s telephone service and call information. Rather, the term “proprietary information” now broadly includes “confidential information . . . and personally identifiable information (PII).” In the context of Lifeline services, the FCC defined PI to include a consumer’s first and last name; address; contact information; government issued identification number unique to the individual (e.g. social security number, passport or driver’s license numbers); financial account numbers; URL or IP addresses, or any combination of these.
Applying this new interpretation of PI, the FCC charged the two carriers with the following apparent violations:
(1) Failing to protect the confidentiality of consumers’ PI in violation of Section 222(a);
(2) Failing to employ reasonable data security practices, including “even the most basic and readily available technologies and security features” in order to protect consumers’ PI in violation of Section 201(b);
(3) Misrepresenting security practices in their privacy policies, which stated that they protected customers’ personal information, when in fact they did not, in violation of Section 201(b); and
(4) Failing to notify some 300,000 customers that their personal information could have been breached as a result of the carriers inadequate data security policies, in violation of Section 201(b)—consequently, depriving them of the opportunity to protect their PI from misappropriation by third parties.
Given its finding that the violations were willful and repeated, and the FCC’s belief that the carriers did not take their obligations to protect consumers’ PI seriously, the FCC calculated a base forfeiture of $9 billion. This base fine was calculated from a standard figure used in CPNI cases – $29,000 per violation or day of continuing violation – and multiplied by the number of personal data records exposed, conservatively estimated at 305,065 records. After weighing the facts and circumstances of this case, the FCC adjusted the proposed fine down to $10 million.
Although the FCC found four apparent violations of the Communications Act, the $10 million fine did not cover the carriers’ alleged failure to provide data security breach notices to customers under Section 201(b). The FCC explained this was because this is the first time that it had declared a carrier’s practices unjust or unreasonable for failures related to data security.
The carriers have the opportunity to respond and seek reduction or cancellation of the proposed forfeiture. Based on the size of the proposed fine, the FCC’s acknowledgement that this is its first data security case, and the dissenting statements of Commissioners Pai and O’Reilly – who believe that this represents a significant departure from past practice and that the FCC took action without fair notice of its intent to delve into data security – the carriers are expected to challenge the NAL.
Implications for Telecommunications Carriers and VoIP providers. Common carriers are subject to all of the statutory provisions invoked in this NAL. VoIP providers, while generally not subject to common carrier regulation, are bound by CPNI rules under Section 222. With this NAL, the FCC put companies on notice that they are expected to protect confidential consumer data and notify consumers of security breaches. The NAL states that the FCC will review a carrier’s notification practices on a case-by-case basis. Prudent carriers and VoIP providers will take note of this new data security breach notification requirement and update their privacy policies and procedures accordingly.
If you have any questions about privacy and data security requirements or this Notice, please contact Maayan Lattin at (202) 872-6881 or mlattin@cinnamonmueller.com, or Jake Baldwin at (312) 372-3930 or jbaldwin@cinnamonmueller.com.
FCC Announces Form 477 Filing Interference to Open in Approximately Two Weeks
On Wednesday, October 28, 2014, the FCC released a Public Notice announcing that it expects the Form 477 filing interface to remain closed until at least November 10, 2014. The filing interface remains closed as the FCC addresses a number of technical difficulties that led to the postponement of the October 1, 2014 filing deadline (reporting data as of June 30, 2014) for Form 477.
After the filing interface reopens, the FCC plans to release a public notice announcing the new filing deadline for Form 477. Importantly, the new deadline will be no less than 14 days after release of the public notice.
As a reminder, this is the first Form 477 filing requiring the use of the new filing interface on the FCC’s website. Updated instructions for filers can be found here. Filers can also review a brief summary of the Form 477 changes on the FCC’s website.
If you have any questions about Form 477, please contact Scott Friedman at (312) 372-3930 or sfriedman@cinnamonmueller.com.