On July 9, 2015, the Federal Communications Commission settled its first data security case with two related telecommunications carriers – TerraCom, Inc. and YourTel America, Inc. – for $3.5 million. The settlement resolves the FCC’s investigation into whether the carriers violated the federal Communications Act of 1934, 47 U.S.C. section 151 et. seq. (the “Act”) by failing to protect the confidentiality of personal information they received from more than 300,000 consumers.
TerraCom and its affiliate YourTel collected sensitive data on consumers in order to establish eligibility for the Lifeline program, a government-sponsored program that provides discounted phone services to low-income individuals. To prove their eligibility, potential customers were asked for personal information, including their names, addresses, Social Security numbers, dates of birth, and driver’s license numbers. In their privacy policies, the companies claimed to have in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access.”
However, despite their pledge, the carriers’ third-party vendor inadvertently stored the personal information of more than 300,000 customers in “clear, readable text” on unprotected Internet servers that “anyone in the world could access with a search engine and basic manipulation.” From September 2012 through April 2013, the information had been stored on the third-party vendor’s servers, in two publicly accessible folders that lacked any password protection or encryption, according to the FCC. After being put on notice of the security lapse, TerraCom and YourTel failed to notify all potentially affected customers, depriving those individuals of the opportunity to protect their personal information.