On July 9, 2015, the Federal Communications Commission settled its first data security case with two related telecommunications carriers – TerraCom, Inc. and YourTel America, Inc. – for $3.5 million. The settlement resolves the FCC’s investigation into whether the carriers violated the federal Communications Act of 1934, 47 U.S.C. section 151 et. seq. (the “Act”) by failing to protect the confidentiality of personal information they received from more than 300,000 consumers.

TerraCom and its affiliate YourTel collected sensitive data on consumers in order to establish eligibility for the Lifeline program, a government-sponsored program that provides discounted phone services to low-income individuals. To prove their eligibility, potential customers were asked for personal information, including their names, addresses, Social Security numbers, dates of birth, and driver’s license numbers. In their privacy policies, the companies claimed to have in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access.”

However, despite their pledge, the carriers’ third-party vendor inadvertently stored the personal information of more than 300,000 customers in “clear, readable text” on unprotected Internet servers that “anyone in the world could access with a search engine and basic manipulation.” From September 2012 through April 2013, the information had been stored on the third-party vendor’s servers, in two publicly accessible folders that lacked any password protection or encryption, according to the FCC. After being put on notice of the security lapse, TerraCom and YourTel failed to notify all potentially affected customers, depriving those individuals of the opportunity to protect their personal information.Continue Reading FCC Settles First Data Security Enforcement Action

This post was written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

Google, Inc. agreed to a proposed consent order over charges that it used deceptive tactics and violated its privacy promises to consumers when it launched its social network, Google Buzz. The Agency alleged in its Complaint that Google’s information practices violated Section 5 of the FTC Act.

As background, in February 2010, Google launched Buzz, a social networking service within Gmail, its web-based email product. Google used the information of Gmail users, including first and last name and email contacts, to populate the social network. Gmail users were, in many instances, automatically set up with “followers” (people that followed the user or people that the user followed). According to the FTC’s Complaint, even if a user did not enroll in Buzz, the user’s information was shared in a number of ways (e.g., a user who did not enroll in Buzz could still be followed by other Gmail users who enrolled in Buzz). The FTC also alleges that the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the FTC alleges that certain personal information of Gmail users was shared without consumers’ permission through Buzz (e.g., some information was searchable on the Internet and could be indexed by Internet search engines).Continue Reading FTC and Google – Proposed Settlement Over “Buzz”