The FCC says the agency intends to fine two phone carriers — TerraCom Inc. and YourTel America Inc. a total of $10 million.
The action is notable because of the high amount of the proposed penalty and because this is the commission’s first data security case and what it terms “the largest privacy action” in commission history.
According to the Enforcement Bureau, an investigation revealed TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses and other sensitive information belonging to their customers on unprotected Internet servers. The companies collected the information to demonstrate eligibility for the FCC’s Lifeline program, a Universal Service Fund program that provides discounted phone service for low-income customers.
According to the commission, “The companies breached the personal data of up to 300,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.”
“Consumers trust that when phone companies ask for their Social Security number, driver’s license and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,” said Enforcement Bureau Chief Travis LeBlanc. “When carriers break that trust, the commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”
The companies told the commission they had privacy policies in place, however the agency says after the commission told the companies’ action was not taken to correct the problem.
The commission had planned to hold a public meeting on the case today, but cancelled that because the commissioners had already voted on it on circulation.
This is the second major enforcement action the FCC has taken to protect consumer privacy in the last two months. In September, the bureau reached a $7.4 million settlement with Verizon to address what the agency said was the company’s unlawful marketing to two million customers without their consent or notification of their privacy rights.
