In its first data security case, the Federal Communications Commission (FCC) has hit two companies with a $10 million fine for improperly storing their customers’ sensitive personal information on a server easily accessible to the public.
TerraCom Inc. and YourTel America Inc. collected information from low-income individuals to determine eligibility for Lifeline, a government program providing discounted telephone service. The firms outsourced data collection to a vendor that stored names, addresses, Social Security numbers, and other personal information on an unsecured Internet server. The FCC called it the “largest privacy action in the Commission’s history,” with as many as 305,000 consumers affected.
“Consumers trust that when phone companies ask for their Social Security number, driver’s license, and otherpersonal information, these companies will not put that information on the Internet or otherwise expose it to the world,” said Travis LeBlanc, chief of the FCC’s Enforcement Bureau. “When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.”
The breach was discovered in 2013 by a Scripps news service reporter, who was able to access all Lifeline data collected and stored by Vcare, a vendor used by YourTel and TerraCom. The reporter alerted the companies, which responded by sending a cease-and-desist letter and accusing Scripps’ reporters of hacking.
However, the FCC found that the real wrongs had been committed by the telecom carriers, finding them to have failed to protect the sensitive data, misrepresented their privacy procedures in the privacy policies, and failing to notify consumers properly.
“The single most critical piece of one’s personal information is the nine-digit number assigned to you at birth,” stated FCC Commissioner Mignon Clyburn. “That social security number is your first and continuous link to wages, earnings and benefits, and stays with you for eternity. Headlines reporting significant data breaches are all too common. Once a breach occurs, there is often a long road for consumers to regain control of their personal information. Thus, it is imperative that companies in possession of our proprietary data take all appropriate measures to make sure it is not compromised.”
The FCC joins numerous other government officials cracking down on cybersecurity and data protection, including the U.S. Treasury, the Justice Department, and many state attorneys general.
