FCC imposes first cybersecurity fine

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2014/10/27/fcc-imposes-first-cybersecurity-fine

Private customer information has become a business asset in the connected
age, and as criminals increasingly target large corporations to extract
that information, regulators are being brought to task over how to
implement fines for those who leave their data vulnerable.

The Federal Communications Commission (FCC) has become the latest to join
the ranks of regulators imposing fines for data negligence on companies,
announcing on Oct 24 that it will impose its first fine related to data
security on phone providers TerraCom Inc and YourTel America Inc. The FCC
is asking for $10 million regarding the issue.

The Commission alleges that the two companies collected personal
information, including contact information and social security numbers,
from customers in a manner that exposed its customer base to considerable
risk of data theft. The fine was imposed based on the companies’ violation
of the Communications Act of 1934.

In its statement associated with the announcement the FCC said, “We find
that TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel)
(collectively, the Companies) apparently willfully and repeatedly violated
the law when they allegedly: (i) failed to properly protect the
confidentiality of consumers’ PI they collected from applicants for the
Companies’ wireless and wired Lifeline telephone services; (ii) failed to
employ reasonable data security practices to protect consumers’ PI; (iii)
engaged in deceptive and misleading practices by representing to consumers
in the Companies’ privacy policies that they employed appropriate
technologies to protect consumers’ PI when, in fact, they had not; and (iv)
engaged in unjust and unreasonable practices by not fully informing
consumers that their PI had been compromised by third-party access.”

More specifically, the FCC says that the companies stored private
information on an Internet page where it was clearly visible to just about
anyone. The companies also failed to alert their customer base once they
had been made aware of the risk, which means that data thieves could
potentially have used the information even after it had been taken down. As
TerraCom and YourTel targeted low income customers the FCC has taken
specific issue with such tactics because subscribers may not have other
option available to them.

The news underscores one of the major issues surrounding data braches and
private information. As of yet, no concrete set of regulations or laws has
been established to give organizations a minimum bar for data protection.
While the Federal Trade Commission, Securities and Exchange Commission and
Department of Justice have each previously lead investigations or
established fines following major cyber event, these are generally related
to egregious negligence rather than lack of compliance with set standards.

Though this case specifically uses the Communications Act to slap a fine on
data negligent company, the FCC is not expected to take up the charge as de
facto cybersecurity regulator. That being said, this instance could offer a
potential model for how things will work in the meantime, with industry
regulators imposing cybersecurity fines for their area of expertise.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!