FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

It's a sure sign that the tide on privacy and security enforcement has turned when the Federal Communications Commission (FCC), not one known to take enforcement actions in the data privacy and security space, fines two telecoms for $10 million dollars. On Friday, October 24, 2014, the FCC issued a Notice of Apparent Liability for Forfeiture (Notice) against TerraCom, Inc. and YourTel America, Inc., levying, in a 3-2 vote, a fine against the two companies for failing to protect the "proprietary information" of low income Americans.[1]

A brief summary and comparison to other enforcement actions and settlement agreements.... The facts and circumstances in the action against TerraCom and YourTel read very similar to enforcement actions from the Federal Trade Commission, where it frequently relies on statements made in privacy policies. Here, we have two telecoms that used a third-party vendor to provide a significant amount of services, including the storage of sensitive data. The companies advertised on their websites and privacy policies that they safeguarded consumer information, but in fact, "failed to employ reasonable practices to safeguard this information as they represented, expressly or by implication, in their privacy policies." Importantly, the FCC looks to what the companies represented and noted that they were looking at the express language or "by implication." That is, it appears that the FCC, like the FTC, will look more broadly at what the materials meant to convey.

Further, the FCC found the use of passwords and encryption important noting that, "the Companies' choice to store, or its vendor's choice to store, files containing the PI of customers in a publicly accessible folder on the Internet, without password protection or encryption, is the practical equivalent of having provided no security at all." But, then the FCC went further, stating that "given the state of technology, we believe the lack of encryption clearly evidences the unjust and unreasonable nature of the Companies' data security practices." This speaks directly to the approach taken by the Office of Civil Rights in its settlement agreements with covered entities that have failed to encrypt laptops that were subsequently lost.

Finally, the FCC found it troubling that the Companies failed to notify all potential victims. This speaks directly to that basis of several enforcement actions brought by State's Attorneys' General, including, for example, the Attorney General of Indiana and the Attorney General of Massachusetts.

Moving forward, this enforcement action may signal an important turn in the discussion of the regulatory framework of the Internet of Things, where the FCC is sure to be a strong player.

The issue was brought to light when, in 2013, a reporter from the Scripps Howard News Service discovered that the companies were storing the information in an unsecured manner and, over the period of several days, Scripps' reporters accessed 128,066 documents. When the news service brought the issue to the attention of the two companies, the companies sent a cease and desist letter to Scripps calling the reporters "hackers".[2]  The companies notified the FCC Enforcement Bureau on May 7, 2013 regarding the incident "claim[ing] that the Companies were victims of a security breach."[3] The FCC alleges that the companies exposed the proprietary information of more than 300,000 consumers.

As the opening paragraph of the Introduction explains:
Today, we take action against two companies that collected names, addresses, Social Security numbers, driver's licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation. The companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable    security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.[4]
The FCC found that the companies violated Sections 201(b) and 222(a) of the Communications Act of 1934 as well as FCC Rules when they:
(i) failed to properly protect the confidentiality of consumers' PI they collected from applicants for the Companies' wireless and wired Lifeline telephone services;

(ii) failed to employ reasonable data security practices to protect consumers' PI;

(iii) engaged in deceptive and misleading practices by representing to consumers in the Companies' privacy policies that they employed appropriate technologies to protect consumers' PI when, in fact, they had not; and

(iv) engaged in unjust and unreasonable practices by not fully informing consumers that their PI had been compromised by third-party access.
Both companies provide subsidized telephone services to low income Americans under the Lifeline program. While the companies "have common shareholders, share key management employees, and are joint owners of a third company, BrightStar Global Solutions, LLC (BrightStar), [they] are separate corporate entities headquartered in Oklahoma and Missouri."[5]  In providing the services, Brightstar retained a third party vendor, CallCenters India, Inc., d/b/a Vcare Corporation (Vcare), to provide certain hosted services, including the call center, back office support, billing, software, and data storage for customer application files.[6]  According to the FCC Notice, Vcare stored customer files in "in clear, readable text and in electronic format accessible via the Internet."[7]  These files contained all the information that customers needed to apply for the Lifeline program including, for example, "their name and address, date of birth, Social Security Number, . . . driver's license or state ID card . . .  annual statement of government benefits; the prior year's state, federal or Tribal tax return; paycheck stubs; Social Security benefit statements; Veterans Administration benefit statements; retirement or pension information; Unemployment or Workers' Compensation benefit statements; Federal or Tribal notice letters of participation in General Assistance; divorce decrees or child support awards; or other official documents establishing the applicant's income level."

As describe above, an investigative reporter discovered that the telecoms were storing information in an unsecured manner. When the news service notified the telecoms regarding their security hole, the companies called the reporters working for the news service hackers and then proceeded notify the FCC regarding the security incident.

In its action, the FCC explains, TerraCom and YourTel "apparently willfully and repeatedly" violated their duties under Section 222(a) of the Communications Act of 1934, which requires carriers "to protect the confidentiality of proprietary information of, and relating to . . . customers."[8]  The FCC further notes that, "[t]he Commission has made clear that section 222(a) requires carriers to take every reasonable precaution to protect the confidentiality of proprietary or personal customer information and that it was committing to taking resolute enforcement action to ensure that the goals of section 222 are achieved."[9]  While declining to adopt the NIST definition of personally identifiable information, the Commission found it instructive in formulating its definition of proprietary information and read the definition of proprietary information broadly:

In the context of Lifeline service at issue here, "proprietary information" includes all documentation submitted by a consumer or collected by an ETC to determine a consumer's eligibility for Lifeline service, as well as all personally identifiable information contained therein. Specifically, information such as a consumer's (i) first and last name; (ii) home or other physical address; (iii) email address or other online contact information, such as an instant messaging screen name that reveals an individual's email address; (iv) telephone number; (v) Social Security Number, tax identification number, passport number, driver's license number, or any other government-issued identification number that is unique to an individual; (vi) account numbers, credit card numbers, and any information combined that would allow access to the consumer's accounts; (vii) Uniform Resource Locator ("URL") or Internet Protocol ("IP") address or host name that identifies an individual; or (viii) any combination of the above, constitutes "proprietary information" protected by Section 222(a).[10]
This broad reading is consistent with the approach taken by the Health Insurance Portability and Accountability Act (HIPAA) in its definition of protected health information as well as the definitions of personally identifiable information adopted by more recent state data breach laws, such as the Florida Information Protection Act of 2014.

Interestingly, in assessing consumer expectations, like the Federal Trade Commission, the FCC also looked at the promises the telecoms made in their privacy policies, noting specifically that:
The Companies' privacy policies assure those persons submitting"[c]ustomer specific information" through their website that they will protect that information and, in fact, inform such applicants that"[b]y providing us with your information, you acknowledge that you have read this privacy policy, understand it, agree to its terms and consent to the transfer of such information outside your resident jurisdiction.[11]
Therefore, the telecoms set certain expectations in the minds of their consumers that they failed to meet.

Further, the FCC found that TerraCom and YourTel violated Section 201(b) of the Communications Act of 1934, because their "failure to protect and secure the PI of their customers . . . constitute[d] an unjust and unreasonable practice."[12]

Unreasonable Data Privacy and Security Practices

According the FCC, the "evidence shows that the Companies' security measures lacked even the most basic features to protect consumers' PI."[13]  The FCC noted the following practices as being unreasonable:
  • Storing the information in plain text thereby enabling it to be read by search engines - "the PI hosted by Vcare on its server was widely available on public websites online through a simple Google search," at least two applications were cached by the Google search engine, and these applications remained cached until the FCC contacted Google to have them removed.[14]
  • Failing to properly secure the server directories storing the PI and using applicant names in the URLs -
    • "The Companies knew or should have known that the use of random URLs without more (e.g., encryption) to protect applicant records provided inadequate security and left the documents vulnerable to exposure via search engines-which operate by visiting websites, indexing all or much of the content available on them, and then delivering links to the indexed results to anyone that queries the engine."[15]
    • "[T]he Companies' URL naming convention for one of the folders containing PI that was stored on Vcare's server also exposed the names of the applicants or customers directly in the URL, further demonstrating the lack of security of the records."[16]
  • Failing to use encryption - "We do not hold here that encryption without more would satisfy a carrier's duty under Section 201(b); however, given the state of technology, we believe the lack of encryption clearly evidences the unjust and unreasonable nature of the Companies' data security practices."[17]
Failing to Notify Consumers

The FCC also found it troubling that the companies only notified 35,129 consumers of the potentially 300,000+ that were impacted. The telecoms argued that they followed the state data breach laws for each of the individual states, but the FCC found the "failure to notify all affected consumers of the breach unjust and unreasonable because it left consumers ignorant about the risks of identity theft problems that may occur due in whole or part to the breach-a problem made even more troubling in light of the Companies' admission that they do not know the extent or breadth of the breach."[18]

[1] FCC, In the Matter of TerraCom, Inc. and YourTel America, Inc., File No.:EB-TCD-13-00009175, FRNs:0010103745 and 0020097572 (Oct. 24, 2014), https://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1027/FCC-14-173A1.pdf.

[2] Id. at para 6-7.

Id. at para 8.

Id. at para 1 (emphasis added).

[5] Id. at para 3.

Id. at para 5.

[7] Id.

[8] Id. at para 13.

[9] Id. (internal quotations and citations omitted.)

Id. at para 19.

[11] Id. at para. 25. See also the discussion starting in para. 36.

[12] Id. at para. 31.

[13] Id. at para. 29.

[14] Id.

[15] Id.

[16] Id. at para. 33.

[17] Id. at para. 32.

[18] Id. at para. 39.

Posted by Tatiana Melnik on October 27, 2014.

November 2016

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)