On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for allegedly failing to safeguard the personal information of their customers.
Both TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) allegedly collected customers’ personal information, including names, addresses, Social Security numbers, and driver’s licenses, and stored it on servers that were widely available on public websites online through a simple Google search. The information could be accessed by “anyone in the world” exposing their customers “to an unacceptable risk of identity theft and other serious consumer harms.”
According to the FCC, TerraCom and YourTel violated Sections 201(b) and 222(a) of the Communications Act of 1934 by:
- Failing to properly protect the confidentiality of consumers’ personal information, including names, addresses, Social Security numbers, driver’s licenses;
- Failing to employ reasonable data security practices to protect consumer information;
- Engaging in deceptive and misleading practices by representing to consumers in the companies’ privacy policies that they employed appropriate technologies to protect consumer information when they did not; and
- Engaging in unjust and unreasonable practices by not notifying consumers that their information had been compromised by a breach.
Whether the FCC’s announcement signals its intention to become yet another regulator of data security remains to be seen. But companies that collect and store customer personal information must take the initiative to ensure information is stored properly with appropriate data security safeguards in place. And safeguards are not enough. If, after investigation, a company uncovers a breach, it must timely notify customers in accordance with state law and federal regulations.
For more information about the FCC’s announcement, click here.