BreachExchange mailing list archives
FCC imposes first cybersecurity fine
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 28 Oct 2014 19:17:23 -0600
http://www.insidecounsel.com/2014/10/27/fcc-imposes-first-cybersecurity-fine Private customer information has become a business asset in the connected age, and as criminals increasingly target large corporations to extract that information, regulators are being brought to task over how to implement fines for those who leave their data vulnerable. The Federal Communications Commission (FCC) has become the latest to join the ranks of regulators imposing fines for data negligence on companies, announcing on Oct 24 that it will impose its first fine related to data security on phone providers TerraCom Inc and YourTel America Inc. The FCC is asking for $10 million regarding the issue. The Commission alleges that the two companies collected personal information, including contact information and social security numbers, from customers in a manner that exposed its customer base to considerable risk of data theft. The fine was imposed based on the companies’ violation of the Communications Act of 1934. In its statement associated with the announcement the FCC said, “We find that TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) (collectively, the Companies) apparently willfully and repeatedly violated the law when they allegedly: (i) failed to properly protect the confidentiality of consumers’ PI they collected from applicants for the Companies’ wireless and wired Lifeline telephone services; (ii) failed to employ reasonable data security practices to protect consumers’ PI; (iii) engaged in deceptive and misleading practices by representing to consumers in the Companies’ privacy policies that they employed appropriate technologies to protect consumers’ PI when, in fact, they had not; and (iv) engaged in unjust and unreasonable practices by not fully informing consumers that their PI had been compromised by third-party access.” More specifically, the FCC says that the companies stored private information on an Internet page where it was clearly visible to just about anyone. The companies also failed to alert their customer base once they had been made aware of the risk, which means that data thieves could potentially have used the information even after it had been taken down. As TerraCom and YourTel targeted low income customers the FCC has taken specific issue with such tactics because subscribers may not have other option available to them. The news underscores one of the major issues surrounding data braches and private information. As of yet, no concrete set of regulations or laws has been established to give organizations a minimum bar for data protection. While the Federal Trade Commission, Securities and Exchange Commission and Department of Justice have each previously lead investigations or established fines following major cyber event, these are generally related to egregious negligence rather than lack of compliance with set standards. Though this case specifically uses the Communications Act to slap a fine on data negligent company, the FCC is not expected to take up the charge as de facto cybersecurity regulator. That being said, this instance could offer a potential model for how things will work in the meantime, with industry regulators imposing cybersecurity fines for their area of expertise.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- FCC imposes first cybersecurity fine Audrey McNeil (Nov 04)