Highly regulated industries such as banking and healthcare have been at the forefront with robust data security regulations for a number of years. Regulators are now focusing on other industries as data breach incidents continue to capture the nation’s attention.
After imposing a $10 million fine against two relatively small telecom companies in October 2014, the Federal Communications Commission (FCC) recently announced one of the largest data breach related fines ever - a $25 million fine against AT&T for a breach affecting 280,000 customers. The FCC's order (DA 15-399) was issued on April 8 and declared that AT&T Services, Inc. failed to properly protect sensitive personal information of a large number of customers. The personal information included names along with the last four digits of social security numbers and other account-related customer data.
This FCC order makes clear that regulated companies in particular need to be proactive about data security issues. FCC chairman Tom Wheeler said, “as today’s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
The number of companies now subject to the FCC's jurisdiction in these matters significantly expanded when the FCC added broadband Internet providers to the scope of Title II of the Communications Act of 1934 in its March 12 order on net-neutrality (FCC 15-24). Although the FCC took a "light touch" approach to regulating Internet service providers by granting forbearance on the enforcement of many of Title II's requirements, data security and privacy requirements will be applicable through Section 222 – Protecting Consumer Privacy. Section 222 of Title II was the basis for enforcement of the actions discussed above.
Meanwhile, outside of the realm of highly regulated industries, significant briefings have just concluded in the landmark Third Circuit case of FTC v. Windham. In that case, the Federal Trade Commission (FTC) and Windham Worldwide Corp. are sparring over the extent to which the FTC may regulate cybersecurity practices.
The FTC is taking the broad position that the failure to maintain adequate data security safeguards amounts to an unfair and deceptive trade practice that is within the FTC's jurisdictional mandate. Windham complains that the FTC has never issued proper guidance advising businesses what it considers adequate cybersecurity practices. The FTC has responded by claiming that it has provided such guidance in the various complaints it has filed alleging data privacy failures, and that those complaints, when "taken together" constitute adequate guidance.
Whatever the outcome, the FTC's complaint against Windham does provide guidance as to what the FTC considers inadequate, and is a good starting point for any review of current policies and practices.
What This Means For You
These actions of the FCC and FTC demonstrate that data breach issues can affect every industry. In the FCC's Order, the Commission stated that it “has made clear that it expects telecommunication carriers to take “every reasonable precaution” to protect customer data and it is committed to protecting the personal information of American consumers from misappropriation, breach and unlawful disclosure.
Similarly, the FTC's actions in the Windham case make clear that the FTC intends to broadly pursue data security issues it deems inadequate in any industry, which could ultimately result in liability for inadequate cyber security practices even without an actual breach.
As a result, companies should work now to ensure that they have comprehensive data security policies and procedures in place that meet the guidance provided by the FTC and FCC in these cases.
