The Federal Communications Commission leapt into data security litigation Friday, levying a $10 million fine against two telecom companies that allegedly stored personally identifiable customer data online without firewalls, encryption or password protection.
The two companies, YourTel America and TerraCom, share the same owners and management. From September 2012 to April 2013, the FCC said, the companies collected information online from applicants to Lifeline, the government's telephone subsidy program for poor Americans. To prove their eligibility, potential customers are asked for personal information, including Social Security numbers, dates of birth, addresses, names and drivers' license numbers.
Rather than store this data securely or destroy it after they were done proving eligibility, according to the FCC, the companies kept the information on publicly accessible Internet servers. When reporters for the Scripps Howard News Service stumbled on the data with a simple Google search, they reported on the lax security and notified the FCC. As many as 300,000 customers may have been affected by the unsecured data, the FCC said.
These companies "made their customers' personal, sensitive information publicly accessible to all the world via the Internet," said Travis LeBlanc, the FCC's top enforcement official. "This is unacceptable. … This is the first data security enforcement action [by the FCC], but it will not be the last."
The agency's $10 million fine will be shared between YourTel and TerraCom. A spokesman for the companies did not immediately respond to a request for comment.
It's no surprise the FCC is growing increasingly interested in privacy cases. The year has been marked by a series of high-profile data breaches, indicating both a real danger to consumers, as well as an opportunity for regulators. So far, the Federal Trade Commission has filed most of the complaints against companies that have failed to safeguard their data. But the FCC's action Friday — its second privacy case in as many months and the first dealing with data security — suggests it sees a growing role for itself as a privacy regulator, too.
"This is a warning to other carriers," said LeBlanc. "We will not tolerate conduct that puts American consumers at risk of fraud and identity theft."