On July 9th, the Enforcement Bureau (EB) of the Federal Communications Commission (FCC or the Commission) reached a $3.5 million Consent Decree to resolve an investigation into whether TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) (collectively, the Companies) violated laws protecting “phone customers’ personal information,” and whether YourTel failed to timely de-enroll Lifeline subscribers following an audit by the Universal Service Administrative Company (USAC). The Consent Decree solidifies a trend in FCC enforcement of carrier data security obligations.
The Consent Decree resolves two separate investigations into the Companies’ compliance with various laws and Commission rules.
First, the Consent Decree resolves a 2014 Notice of Apparent Liability (NAL)—which we addressed in a previous blog post—that the Commission issued to the Companies after the Companies reported an alleged security breach at a third-party vendor. As a result of the breach, Lifeline eligibility documentation of the Companies’ subscribers (and prospective subscribers) became available in clear text through a web search. The FCC estimates that the companies failed to protect the private information of over 300,000 consumers. In the NAL, the Commission proposed a forfeiture of $10 million against the Companies.
Second, the settlement also resolves an FCC investigation into an alleged failure by YourTel to timely de-enroll subscribers from the Lifeline program after USAC determined that those particular subscribers were already receiving a Lifeline benefit from another eligible telecommunications carrier (ETC). Under the Commission’s Lifeline rules, an ETC has 5 days to de-enroll a subscriber after learning that the subscriber is receiving a duplicative Lifeline benefit.
Allegations and Admissions
In the underlying NAL, the Commission charged TerraCom and YourTel with violating Sections 222(a) and 201(b) of the Communications Act of 1934 by:
- Failing to protect the confidentiality of proprietary information (PI) that customers provided for purposes of demonstrating Lifeline program eligibility (an alleged violation of Section 222(a));
- Engaging in unjust and unreasonable practices by failing to employ reasonable data security practices to protect customers’ PI (an alleged violation of Section 201(b));
- Representing in their privacy policies that they protected customers’ PI, when in fact they did not (an alleged violation of Section 201(b)); and
- Engaging in unjust and unreasonable practices by failing to notify all customers whose PI could have been breached due to inadequate data security practices (also an alleged violation of Section 201(b)).
In the de-enrollment investigation, the Commission did not make formal findings, but asserted that the Companies failed to timely de-enroll subscribers after USAC directed them to do so. Specifically, USAC directed YourTel to de-enroll a group of subscribers in Illinois after completion of an inter-company duplicates review. USAC directed YourTel to de-enroll the subscribers in October 2012, but the Company’s November 2012 reimbursement request included some of the de-enrolled subscribers. YourTel blamed the erroneous request on a “system error” and subsequently amended its request to remove these subscribers.
For purposes of the Consent Decree, TerraCom and YourTel admitted violating Sections 201(b) and 222(a) of the Act. Furthermore, for purposes of the Consent Decree, YourTel admitted to violating Sections 54.405, 54.407, and 54.409 of the FCC’s rules, as well as the 2012 Lifeline Reform Order and the 2011 Lifeline Duplicates Order, in connection with its de-enrollment of subscribers.
Terms of the Consent Decree
Under the terms of the consent decree, TerraCom & YourTel agree to pay a $3.5 million civil penalty, and to implement a wide-ranging compliance plan, which is similar to the compliance plan AT&T agreed to following its recent data breach. The Compliance Plan includes the following key elements:
- Risk Assessment Within thirty days, TerraCom & YourTel must perform a risk assessment to identify internal risks of PI or CPNI breaches by employees and vendors, and to evaluate the sufficiency of existing policies, procedures, and practices designed to control risks.
- Information Security Program Within sixty days, TerraCom & YourTel must establish a written information security program to protect against CPNI and PI breaches by employees and vendors. The Companies must keep this information security program up-to-date and address deficiencies and gaps as they appear. These provisions of the consent decree will remain in effect for eight years.
- Compliance Manual and Training Within sixty days, TerraCom & YourTel must develop and distribute a compliance manual to relevant employees and vendors (and the vendors’ employees) explaining Section 222, the FCC’s CPNI rules, the terms of the consent decree, and all operating procedures that employees and vendors’ employees must follow. As with the information security program, TerraCom & YourTel must periodically review and revise the compliance manual to ensure it is current and accurate. Further, the Companies must establish and implement a compliance training program to ensure compliance with Section 222, the CPNI rules, and the operating procedures.
Furthermore, YourTel agreed to implement a compliance plan to ensure future compliance with the Lifeline eligibility and de-enrollment rules, which included operating procedures, a compliance manual, compliance training, and both compliance and non-compliance reporting procedures.
In addition, TerraCom & YourTel agreed to notify each affected customer about the breach that underlied the NAL, offer one year of complimentary credit monitoring services through a nationally recognized credit monitoring service, and provide a toll-free number where affected customers may contact the Companies with questions about the breaches.
Where We’re Headed
The TerraCom & YourTel Consent Decree illustrates an emerging pattern in the FCC’s enforcement actions on privacy and data security. The terms of the compliance plan are similar to the terms of a recent $25 million AT&T Consent Decree over compromised PI and CPNI, which we discussed in a previous blog post. In both instances, the FCC found companies liable for insufficient data security practices by citing alleged violations of sections 222 and 201(b) of the Communications Act. Collectively, these two consent decrees provide a roadmap of the EB’s expectations in the area of data security. Commissioner O’Rielly commented that it was unfair for the Commission to conduct business in this way.
The Commission’s aggressive enforcement of privacy and data security matters isn’t likely to stop any time soon. FCC EB Chief Travis LeBlanc has repeatedly compared the Commission’s Section 201 authority to the FTC’s Section 5 authority. The TerraCom & YourTel Consent Decree clearly reflects such an interpretation. Remarking on this settlement, Mr. LeBlanc said, “[i]t is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information.” One agency’s breach of trust is another agency’s deceptive act or practice.
In light of the FCC’s growing interest in privacy and data security, and the present absence of definitive rules for complying with Section 222 in the broadband context, all telecommunications and broadband providers should take affirmative steps to inventory their data security policies, procedures, and practices, as well as those of their vendors, to ensure compliance with FCC rules and guidance.