The Federal Communications Commission recently settled its first data security case with two telephone companies – TerraCom Inc. and YourTel America Inc. – for $3.5 million. As we previously reported, the FCC initially proposed a $10 million fine for both companies’ alleged failures to protect the personal information of over 300,000 of their customers after Social Security numbers, drivers’ licenses, and other data were placed on servers that could be publicly accessed and viewed on the Internet for six months.
Both TerraCom and YourTel agreed to the civil penalty to end the agency’s investigation into this release of customer information by their third-party vendor and will take certain steps to improve their security practices and prevent similar breaches in the future. According to the FCC Enforcement Bureau Chief: “It is a breach of customer trust for a company to promise to protect personal information [as the companies did in their privacy policies] while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine.”
TIP: Regulators are increasingly concerned about the protection that companies give to personally identifiable information. This settlement is another reminder that, after a public breach, companies may face scrutiny over the sufficiency of their underlying protective measures.