TerraCom, YourTel to Pay $3.5 Million to Resolve Consumer Privacy Violations

TerraCom, YourTel to Pay $3.5 Million to Resolve Consumer Privacy Violations
July 9, 2015

The Federal Communications Commission (FCC) has entered into a $3.5 million settlement with TerraCom, Inc. and YourTel America, Inc., resolving an investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers.

This settlement also resolves the FCC's investigation into YourTel's failure to comply with Commission instructions to remove ineligible Lifeline subscribers which resulted in over-billing of the federal program.

The FCC says that a thorough Enforcement Bureau investigation found that the companies' vendor stored consumers' personal information on unprotected servers that were accessible over the Internet. The companies' failure to provide reasonable protection for their customers' personal information – including names, addresses, Social Security numbers, driver's licenses, and other sensitive information – resulted in a data breach that permitted anyone with a search engine to gain unauthorized access to the information.

"Consumers rightly expect that companies will take every reasonable precaution to protect their personal information," said Travis LeBlanc, Chief of the FCC's Enforcement Bureau. "It is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine. This settlement ensures that these companies take concrete steps to improve their security practices and prevent breaches like this from happening again."

As a condition of settlement, the companies will pay a $3.5 million civil penalty to the FCC. The companies will also notify all consumers whose information was subject to unauthorized access, provide complimentary credit monitoring services for all affected individuals, and undertake additional measures to mitigate any potential harm to consumers. According to the FCC, the information had been collected by the companies to demonstrate eligibility for the Lifeline program, which is a Universal Service Fund program that provides discounted phone services for low-income consumers.

The settlement also resolves an investigation into YourTel's failure to timely de-enroll Lifeline subscribers. In 2012, the Commission instructed YourTel to de-enroll subscribers who were ineligible for Lifeline-supported service. The FCC says that company continued to provide this service to a number of ineligible subscribers during 2012 and 2013. As a result, the company overbilled the Lifeline program by seeking reimbursement for serving those subscribers.

Additionally, the FCC reports that the companies have committed to improve their privacy and data security practices in concrete ways. They will conduct an assessment of any other privacy risks, implement a security program to protect written information, maintain strict oversight of their vendors, and assure that a senior corporate manage is a certified privacy professional. They will also implement a data breach response plan, train their employees on privacy and security awareness, and file regular compliance reports with the Commission.

The failure to reasonably secure customers' proprietary information, including their personal data, violates a carrier's duty under Section 222 of the Communications Act, and also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act. The Commission says that it expects telecommunications carriers to take "every reasonable precaution" to protect their customers' data.

YourTel's settlement with the FCC also requires the company to implement strong measures to improve its compliance with Lifeline program rules. YourTel must designate a senior corporate manager to serve as a compliance officer, develop a comprehensive compliance plan, and report regularly to the Enforcement Bureau on compliance, as well as take other steps designed to ensure the company does not overbill the Lifeline program.