TerraCom, YourTel To Pay $3.5 Million To Resolve FCC Privacy, Lifeline Probe
TerraCom and YourTel America will pay a $3.5 million civil penalty and take remedial steps to resolve an FCC investigation into whether the companies failed to protect the confidential personal information of more than 300,000 consumers applying for Lifeline USF service, under an Enforcement Bureau order and consent decree released Thursday. The settlement also resolves an investigation into whether YourTel violated FCC rules by failing to de-enroll subscribers for Lifeline low-income support in a timely fashion after being ordered to do so by the Universal Service Administrative Co. Both companies admitted to violating FCC rules.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The companies' vendor stored the consumer information on unprotected servers, accessible over the Internet, exposing it to a data breach, the order said. TerraCom and YourTel collected the information to determine Lifeline eligibility, including birth dates, Social Security numbers and other sensitive data and documents. The companies notified the bureau about the situation after a Scripps Howard investigative reporter discovered the situation and was preparing an article, according to an October notice of apparent liability.
“Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” said Enforcement Bureau Chief Travis LeBlanc in an agency release. “It is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine. This settlement ensures that these companies take concrete steps to improve their security practices and prevent breaches like this from happening again.”
“The companies are pleased to reach this amicable settlement with the FCC and to move forward," said a TerraCom spokesperson in an email statement to us. "This incident resulted from a very unfortunate and inadvertent lapse in the robust data protections we require and our vendor provides. Upon discovering it we immediately fixed the problem and notified the FCC, and no actual harm to consumers occurred. We do not believe that we violated any law or rules, and in this settlement we acknowledged violations only for purposes of reaching this consent decree. We appreciate the cooperation the FCC has shown in reaching this resolution.”
In addition to paying the penalty, TerraCom and YourTel agreed to develop and implement a compliance plan with appropriate procedures to protect consumers against similar data breaches in the future, said the order, adding: "In particular, TerraCom and YourTel will be required to improve their privacy and data security practices by: (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting a privacy risk assessment; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a data breach response plan; and (vi) providing privacy and security awareness training to employees. Additionally, YourTel will be required to implement a compliance plan to improve its compliance with the Lifeline eligibility and de-enrollment rules. TerraCom and YourTel will also file regular compliance reports with the FCC."