Making a splash with its first-ever data security enforcement actions, the Federal Communications Commission (FCC) entered uncharted waters late last year by aggressively asserting its role in safeguarding consumer information. In the fall of 2014, for the first time, the FCC took administrative enforcement action in two instances against telecommunications carriers that misused data, misrepresented their data security efforts, and failed to appropriately secure customer data. The FCC’s efforts demonstrate that it believes it has a role to play in the wider privacy landscape, even as the Federal Trade Commission (FTC) has thus far taken the lead on privacy and data security enforcement.1
Notably, the FCC’s enforcement actions occurred in the absence of the commission having issued any guidelines, promulgated any rules under notice and comment procedures, or announced any policy objectives. Regardless, the FCC has indicated that it believes that it has jurisdiction over telecommunications carriers to scrutinize their data security and customer information use practices. The sudden arrival of a second data security regulator creates uncertainty for businesses in the communications and technology space.
Consent Decree with Verizon
The FCC first announced, in September 2014, that its enforcement bureau reached a settlement agreement with Verizon based on allegations of misuse of customer information.2 The FCC alleged that Verizon unlawfully used the customer proprietary network information (CPNI) of two million subscribers for marketing purposes, and failed to notify subscribers of their privacy rights under FCC rules or their ability to opt out of marketing programs. The commission further alleged that Verizon failed to notify the FCC of its noncompliance within the five-day timeframe required under FCC rules. The consent decree imposed a $7.4 million fine on Verizon as well as a three-year compliance program requiring opt-out notifications on customer bills, and billing system testing, monitoring, and reporting requirements.
Civil Liability Notice for TerraCom and YourTel America
One month later, the FCC issued a Notice of Apparent Liability (NAL) to two carriers, TerraCom and YourTel, alleging their failure to secure sensitive customer information.3 Both companies are landline and wireless phone service carriers that collect customer information from low-income applicants seeking to qualify for Lifeline/Universal Service Fund reduced rate phone service. The parties collected applicants’ Social Security numbers, names, addresses, and driver’s license data. The FCC alleged that TerraCom and YourTel: stored applicants’ data on unprotected servers accessible from anywhere on the Internet, thereby compromising the data of over 300,000 consumers; failed to notify customers that their information was or could be breached; and put forth privacy policies assuring applicants that information collected was appropriately secured when in fact it was not. The FCC concluded that the “carriers’ failure to reasonably secure their customers’ personal information violate[d] the companies’ statutory duty under the Communications Act to protect that information, and also constitute[d] an unjust and unreasonable practice in violation of the Act . . . .”<4 Consequently, and by a sharply divided vote of 3-2, the FCC issued a NAL proposing a $10 million forfeiture penalty on the companies.5
Legal Basis for FCC’s Actions Remains Uncertain
The FCC has cast its data security efforts as a natural outgrowth of its longstanding mission to safeguard privacy in the telecommunications industry, pointing to preexisting rules governing CPNI, such as billing, call duration and location data, and customer consent requirements, along with “Do-Not-Call” efforts. Nevertheless, the statutory basis of the commission’s actions is disputed, including by some of the commissioners themselves. In TerraCom, the FCC relied on § 222(a) of the Communications Act,6 interpreting the term “proprietary information” to encompass “private information that customers have an interest in protecting from public exposure”7—a breathtakingly broad standard. Indeed, the three-commissioner majority indicated that “proprietary information” is broader than CPNI and “broadly encompasses such confidential information as privileged information, trade secrets, and personally identifiable information (PII).” The FCC also relied on § 201(b) to conclude that the companies’ lack of basic security measures was an “unjust and unreasonable” practice counter to that provision.8 The commission further stated that it was unjust and unreasonable to misrepresent to customers in privacy policies that information would in fact be protected, and to fail to notify customers that their data may have been compromised.
Two commissioners strongly dissented from the FCC’s decision in TerraCom.9 They criticized their colleagues’ interpretation of the act as imposing a duty to protect PII, and disputed the notion that § 222 extends to anything beyond CPNI as defined in the statute. They also stated that the FCC’s actions ran afoul of due process by not providing advance, fair warning of carrier obligations, particularly as regards the notification obligation that the majority found implicit in the statute. Even if the act provided a sufficient legal basis for FCC data protection enforcement, the dissenters admonished that the FCC should first conduct a rulemaking to establish and provide proper notice of the duties to be imposed on carriers. The dissenters’ statements reveal that, despite the FCC’s bold enforcement actions, the commission is deeply divided as to what, if any, is the agency’s appropriate role as a watchdog in the data security space.
Overlapping Enforcement or Under-Enforcement?
Even if its statutory authority is murky, the FCC appears to have set a course to continue its efforts in the data security space alongside the FTC. While the FTC’s reach extends to a broad swath of industries, the FTC Act specifically excludes common carriers, as defined by the Communications Act, from the FTC’s jurisdiction.10 It is perhaps for this reason that the FCC has waded into data protection enforcement as it relates to such carriers; otherwise, their privacy and data security practices might go unchecked. Indeed, in an ongoing dispute with the FTC over data throttling, AT&T, a common carrier, has argued that it is wholly exempt from FTC regulation, including where it offers services, like mobile data, that are not common carrier services.11 Should AT&T prevail, and should courts find that the FCC exceeded its statutory authority if that agency’s jurisdiction is challenged, then the data security and privacy practices of common carriers would fall outside the jurisdiction of both agencies. And it is not just the FCC’s statutory authority that has been questioned; the FTC continues to fend off challenges to its own statutory authority to regulate privacy and data protection matters at all.12
Publicly, the FTC has pledged to cooperate with the FCC and dismissed speculation that there is a growing turf war between the agencies.13 Nevertheless, the precise bounds of the FCC’s privacy and data security jurisdiction, and whether it can reach beyond common carriers, are unclear, setting the stage for conflict between the two agencies. Could the FCC extend jurisdiction over mobile application developers, telecommunications equipment manufacturers (ranging from mobile handsets and set top boxes to Internet-connected light bulbs and personal fitness trackers), cloud storage services, or other businesses whose products or services are telecom- or Internet-related? And if so, would these entities, none of which are common carriers, also be subject to FTC jurisdiction? Businesses run the risk of getting stuck in the cross-fire.
Jurisdictional issues aside, Commissioner Ajit Pai, who dissented in TerraCom, has called for the FCC, at the very least, to engage in rulemaking before enforcing standards of which industry was not previously apprised. A rulemaking would give businesses the opportunity to voice their concerns and share their perspective on potential rules during the notice and comment process. Regardless, the FCC will almost certainly face future challenges to its own statutory authority to bring enforcement actions in the absence of promulgated rules. As the other dissenter in TerraCom, Commissioner Michael O’Rielly, pointedly noted, “I would not be surprised to see this issue litigated at some point.”14
1 In addition to its enforcement actions, in October 2014, the FCC joined the Global Privacy Enforcement Network (GPEN), a group of around fifty international data protection authorities that collaborates on cross-border privacy enforcement actions, develops best practices and other policies, and supports law enforcement cooperation. Together with the FTC, also a member, the FCC will now represent the U.S. in GPEN proceedings. Press Release, “FTC Joins Global Privacy Enforcement Network,” October 28, 2014, available at http://www.fcc.gov/document/fcc-joins-global-privacy-enforcement-network.
2 Press Release, “Verizon to Pay $7.4 Million to Settle Consumer Privacy Investigation,” September 3, 2014, http://www.fcc.gov/document/verizon-pay-74m-settle-privacy-investigation-0; Consent Decree & Adopting Order, Verizon, File No. EB-TCD-13-00007027 (FCC Sept. 3, 2014), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db0903/DA-14-1251A1.pdf.
3 Press Release, “FCC Plans $10 Million Fine for Carriers that Breached Consumer Privacy,” October 24, 2014, available at http://www.fcc.gov/document/fcc-plans-10m-fine-carriers-breached-consumer-privacy.
4 Id.
5 Notice of Apparent Liability for Forfeiture, TerraCom, Inc. and YourTel America, Inc., File No. EB-TCD-13-00009175 (FCC October 24, 2014), available at http://www.fcc.gov/document/10m-fine-proposed-against-terracom-and-yourtel-privacy-breaches. Although a party issued a NAL by the FCC may pay the proposed forfeiture amount, it has a number of additional options, including appealing or seeking a reduction of the penalty from the FCC directly or forcing the FCC, in conjunction with the Department of Justice, to bring suit in federal district court to enforce its proposed judgment. 47 C.F.R. § 1.80(f) (2013).
6 47 U.S.C. § 222(a) (2012).
7 See TerraCom, supra note 5.
8 47 U.S.C. § 201(b) (2012).
9 See TerraCom, supra note 5 (Pai, O’Rielly, dissenting).
10 15 U.S.C. § 45(a)(2) (2012).
11 See Emily Field, “AT&T Says it’s Out of FTC’s Jurisdiction in ‘Throttling’ Suit,” Law360, January 5, 2015, available at http://www.law360.com/articles/608363/at-t-says-it-s-out-of-ftc-s-jurisdiction-in-throttling-suit.
12 Allison Grande, “Privacy Cases to Watch in 2015,” Law360, January 2, 2015, available at http://www.law360.com/articles/605174/privacy-cases-to-watch-in-2015 (discussing challenges to FTC’s data protection authority brought by Wyndham Worldwide Corp. and LabMD Inc.).
13Allison Grande, “FTC Official Sees No Turf War With FCC On Data Security,” Law360, November 5, 2014, available at http://www.law360.com/privacy/articles/593798/ftc-official-sees-no-turf-war-with-fcc-on-data-security.
14 See TerraCom, supra note 5 (O’Rielly, dissenting).