The FCC entered into a $3.5 million settlement with TerraCom, Inc. (TerraCom) and YourTel America (YourTel). The settlement reduces the initial $10 million fine, and concludes the investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers.
The Enforcement Bureau of the FCC initiated its investigation in June 2013 following notification by TerraCom and YourTel of a data breach. The Enforcement Bureau found that customers provided TerraCom and YourTel with personal information including their name, address, date of birth, full or partial social security number and copies of their driver’s license or state ID card. TerraCom and YourTel relied on a third-party vendor to store this information. The third-party vendor inadvertently failed to implement password protection for some of the stored data while updating its servers and the personal information of more than 300,000 customers was accessible over the public internet. As a result of the data breach, the FCC charged both TerraCom and YourTel with violating Section 222(a) and 201(b) of the Communications Act.
The companies will pay a $3.5 million fine to settle the Enforcement Bureau’s investigation. In addition to the fine, TerraCom and YourTel agreed to notify all consumers whose information was subject to unauthorized access, provide complimentary credit monitoring services for all affected individuals, and commit to improve their privacy and data security practices in the future. To improve their privacy and security practices, TerraCom and YourTel agreed to conduct an assessment of other privacy risks, implement a security program to protect written information, maintain strict oversight of their vendors, and assure that a senior corporate manager is a certified privacy professional. Additionally, TerraCom and YourTel agreed to implement a data breach response plan, train their employees on privacy and security awareness, and file regular compliance reports with the FCC.
This case is the FCC’s first data security action. It demonstrates the FCC’s willingness to investigate and impose significant fines on companies that do not protect the personal information of their customers. Additionally, the security steps required under the settlement agreement provide a roadmap for companies seeking to protect themselves from potential liability. The additional security measures are actions that companies can and should take to avoid data breach liability in the future.