Free Enterprise - The FindLaw Small Business Law Blog

FCC Fines 2 Companies for Data Breach: What SMBs Need to Know

After a year filled with news stories about data privacy breaches, including Target and Home Depot, it seems that the Federal Communications Commission (FCC) is finally doing something about it. On Friday, the FCC proposed a $10 million fine against two telecom companies for data breaches that potentially affected 300,000 customers, The Washington Post reports.

How did this happen? And what does this mean for small business that store customer data?

Out in the Open

The data breaches came to light last year when Scripps Howard News Service was able to find customer records stored by TerraCom and YourTel, two companies that provide low-cost phone service to low-income customers under a federal program. The records contained very sensitive information like Social Security numbers and pay stubs. It turns out customer data were stored unencrypted on servers open to the Internet; in some cases, Scripps reporters were able to locate the data via a Google search.

What Does This Mean for Small Businesses?

Unless you're a telecommunications company, it's unlikely the FCC will be coming after you for $10 million any time soon (the federal law that allows the FCC to act in this case applies only to phone companies). Nevertheless, if your business stores any user information -- including passwords, or even phone numbers, you'll want to make sure that it's stored securely.

Here are a few considerations:

  1. Engage in security best practices. Never store usernames or passwords unencrypted in "clear text." Never store customer information on servers that are directly accessible to the Internet. And here's an idea that you may not have thought of: Limit physical access to the machines storing the data. Why? Hackers were able to divert credit card data in last year's Target data breach by gaining access to a machine room and installing malicious software directly on one of Target's servers.
  2. Consider a security audit. A security company can come in and assess your network and computer security, often attempting to break in the same way a hacker would. It's easy to think that you're secure -- until someone tries to break in using a method you hadn't thought was possible.
  3. Don't store data unless you really have to. Until a few years ago, it was common to use Social Security numbers as unique customer identifiers. That makes sense: Everyone's SSN is different. But the problem is, the number is so important to a person's identity that if it's stolen, it could be way more costly for a customer to rectify the situation than it would be for you to come up with a different record-keeping system.

So while the law at issue in the FCC's first data breach fine applies only to phone companies, keep in mind that different kinds of data are protected under different laws (even video rental records!) that can subject companies to liability if the data are leaked.

Follow FindLaw for Consumers on Google+.

Related Resources: