FCC, Again, Establishes Data Security Requirements by Consent Order
For the second time, the Federal Communications Commission (FCC or Commission) has taken enforcement action predicated on its purported authority over data privacy and security allegedly found in Section 201(b) of the Communications Act. Eschewing rulemaking, the agency's action comes in the form of an Order and Consent Decree (Order) with a major wireless carrier. In addition to imposing a $25 million civil penalty, the FCC announced a new category of protected data, "Personal Information," which must be safeguarded by entities subject to Title II of the Communications Act (the Act).
The April 8, 2015 Order settles an investigation into a data breach at the carrier's call centers in Mexico, Colombia, and the Philippines. The Order addresses disclosure of account-related data known as customer proprietary network information (CPNI) and whether the safeguards in place were "just and reasonable" under Sections 201(b) of the Act. The data at issue included customers' CPNI, names, and at least the last four digits of their Social Security numbers. The Order indicates that such information could be used to place handset unlocking requests and sold to third parties.
"Personal Information" Covered
The relief imposed by the Order is instructive for telecommunications companies subject to Title II and the FCC's CPNI rules. The Order imposed both a $25 million civil penalty and mandates a compliance plan that includes implementation of new practices designed to protect CPNI and "Personal Information," a newly-defined term that means:
"(1) an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (A) Social Security number; (B) driver's license number or other government-issued identification card number; or (C) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account."
Specific requirements of the compliance plan include:
- Appointing a senior compliance manager who is privacy certified;
- Conducting a privacy risk assessment;
- Implementing an information security program;
- Preparing a compliance manual; and
- Employee training.
The Order comes on the heels of a $10 million Notice of Apparent Liability for Forfeiture (NAL) issued to TerraCom, Inc. and YourTel America, Inc. in October 2014, a case that signaled an FCC interest in data privacy and security beyond the scope of the agency's CPNI rules. There, the FCC alleged that storing proprietary information collected from consumers in an easily accessible format on the Internet violated Section 201(b) as an "unjust and unreasonable practice." Citing this NAL - non-final agency action taken by the Enforcement Bureau that has not ripened into a Forfeiture Order by the Commission - the Order states that "Section 201(b) applies to carriers' practices for protecting [personally identifiable information] (PII) and CPNI."
In addition, the Order states that Section 222 of the Communication's Act and the CPNI rules (together the CPNI provisions) require carriers to "take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI" and to notify law enforcement within seven business days of a breach. Notably, the Order reflects that the enforcement target admits, "[f]or the purposes of th[e] Consent Decree only," that the actions subject to the FCC investigation violated the CPNI provisions. The Order contains no similar statement with respect to Section 201(b).
Aggressive FCC Enforcement
Coming after enforcement action against YourTel and Terracom, the Consent Decree signals a growing FCC interest in enforcing a broad concept of data privacy and security that goes beyond the scope of the agency's existing CPNI rules. It also suggests the FCC will continue to be aggressive in the exercise of its broad asserted enforcement authority over data privacy and security, grounded in section 201(b).
Furthermore, the Order injects new uncertainty into the current Congressional debate over the creation of a national data security and breach notification regime enforceable by a single federal regulatory authority. The Order's definition of "Personal Information," the high forfeiture level, and the creation of a new category of protected data through adjudication absent rulemaking all touch on issues being addressed by a draft bill introduced by Representatives Marsha Blackburn (R-TN) and Peter Welch (D-VT). Given that the legislation would shift the FCC's data security and breach notification jurisdiction to the Federal Trade Commission without a grant of rulemaking authority, the Order not only outlines the potential scope of power being lost and gained by the agencies under the bill, it could also shape lawmakers' views on the standards that should apply under a new national regime.