It seems like every month we wake up to another story about some giant company getting hacked -- or worse, negligently storing user data out in the open where anyone can get to it.
In the wake of data privacy breach after data privacy breach, the FCC is finally doing something other than worrying about Janet Jackson's wardrobe malfunction. On Friday, the FCC proposed a fine of $10 million against TerraCom and YourTel America for data privacy breaches.
How does this affect general counsel?
A Huge Data Breach
TerraCom and YourTel provide low-cost phone services for low-income consumers under a federal program called Lifeline. As part of the application process for getting these services, consumers have to submit documentation of their enrollment in one or more government assistance programs, along with pay stubs, social security numbers, and other personal information.
Well, color the FCC surprised when they found out that the company TerraCom and YourTel contracted with to store these data were hosting the documents, unencrypted, on a server accessible from the public Internet. Scripps Howard News Service "located a consumer's data file by conducting a simple Google search," the complaint says. Scripps was able to download over 128,000 records, and evidence suggests people from countries like China and Ukraine (where identity theft is known to proliferate) also accessed these records. (TerraCom and YourTel also reportedly threatened Scripps reporters with prosecution for violating the Computer Fraud and Abuse Act -- because that will surely make the problem of bad P.R. go away.)
Really, Really, Really Bad
The TerraCom and YourTel fine seems to be a case of "the three reallys"; namely, their data breach was really, really, really bad. Not only were there practically no safeguards on the data, but the companies didn't notify affected customers and didn't even sufficiently investigate to determine the full extent of the damage.
The FCC's power to recommend such a huge fine comes from federal regulations and 47 USC Section 222, which requires telecommunication customer records be kept private. While this could arguably apply to companies providing Internet service, it probably doesn't apply to websites that host user information because they're not providing "telecommunications service."
Nevertheless, there are federal statutes that require online service providers to keep private data private. Notably, the Stored Communications Act allows for both criminal and civil actions against anyone who knowingly and intentionally discloses private user data. That's a pretty high bar, though, and probably wouldn't cover hacking, unless a company's security is woefully, recklessly inadequate.
If your company hosts any kind of private data, hopefully you're continually auditing your security to make sure that it's adequate. The FCC's proposed fine is an extraordinary case, but it shows that when it comes to data security, someone's paying attention.