The Federal Communications Commission continues to step up its enforcement actions against communications and technology companies with increasing emphasis on spectrum and licensing matters, including operating outside the rules (or with expired authority), unauthorized transfers of control or assignments, and operation of unlawful signal boosters and jammers.
On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”
This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.
According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft.
CPNI Violation. The NAL first alleges that the companies failed to properly protect the confidentiality of consumers’ proprietary information collected from applicants for wireless and wired Lifeline services in violation of Section 222(a) of the Communications Act, which requires that carriers protect the confidentiality of the “proprietary information” of their customers. The FCC proposes a forfeiture of $8.5 million for this violation based on precedent for base forfeitures of $29,000 for previous CPNI violations. Applying the base forfeitures to the alleged over 300,000 violations would have resulted in a proposed penalty of close to $9 billion, but the FCC settled on $8.5 million as “sufficient.”
Unjust and Unreasonable Practices. The NAL next alleges several violations of Section 201(b) of the Communications Act, which prohibits unjust and unreasonable practices, but only proposes a penalty for one such violation. The NAL proposes a $1.5 million penalty against the companies for making false representations in their website privacy policies regarding protecting customers’ sensitive personal information. The FCC alleges that the companies’ failure to follow their own privacy policies was an unjust and unreasonable practice. This forfeiture is based on precedent for a $40,000 base forfeiture for Section 201(b) violations related to deceptive marketing to consumers.
Further, the NAL alleges that by failing to employ reasonable data security practices (such as password protection or encryption) and failing to notify all potentially affected customers of the security breach, the companies apparently violated Section 201(b). However, the agency declined to propose a forfeiture for those two alleged violations because this is the first case in which it makes such findings. The NAL states that carriers are now on notice regarding these potential violations.
The Commission’s use of its authority to police “unjust and unreasonable” practices by telecommunications providers appears to represent a significant expansion of the Commission’s enforcement authority over privacy-related matters and appears to mirror the Federal Trade Commission’s privacy and data security actions under a similar statutory provision in the Federal Trade Commission Act Section 5 barring unfair and deceptive trade practices. The expansion of authority is the reason that Commissioners Pai (R) and O’Reilly (R) dissented. Both Commissioners contended that the FCC had not given fair notice of what data security practices are required. Commissioner O’Reilly also questioned the majority’s interpretation of the CPNI provisions of Section 222.
While the $10 million proposed penalty is the largest privacy action in the Commission’s history and its first foray into data security enforcement, it is not likely to be its last. We expect that the FCC will continue to investigate and take enforcement action against lax data security and other practices that compromise the privacy of consumers’ personal information.
In light of the FCC’s action, all carriers, including especially Lifeline providers, should review their security and privacy practices related to customer eligibility documentation and other personal information, as well as their privacy statements and CPNI policies to ensure that consumer data is adequately safeguarded in a manner that comports not only with the FCC’s CPNI rules but also with federal and state privacy frameworks that will inform the Commission’s determination of what is “unjust and unreasonable” in this area.
With mid-term elections just around the corner, the FCC’s Enforcement Bureau issued a stern warning to political campaigns and calling services regarding their obligation to comply with the TCPA and stating that the Commission “will not hesitate to act to protect consumer privacy and their freedom from the nuisance of unwanted calls.” The Enforcement Advisory reminded potential political callers that they may be liable for forfeiture penalties of up to $16,000 per violation of the rules.
The Federal Communications Commission’s (“FCC”) moved a step closer last Friday to making effective changes adopted in 2011 and 2013 establishing revised international traffic and revenue as well as circuit capacity reporting requirements. As we reported in previous posts and advisories, changes include new reporting obligations for interconnected voice over Internet protocol (“VoIP”) providers and for certain non-common carriers (e.g., non-common carrier satellite operators and submarine cable landing licensees), among other modifications. In addition, affected providers will be required to use new reporting forms and follow new procedures.
At the FCC’s October Open Meeting on October 17, the Commission unanimously adopted a Report and Order to update its rules and procedures for new and modified antenna structures. In the News Release following the vote, the Commission noted the new rules are expected to create the foundation for increased advanced wireless broadband deployment nationwide. In their comments at the Open meeting, the Commissioners focused on the effect the new rules will have to facilitate Distributed Antenna Systems (“DAS”) and small cell deployment.
The full text of the Report and Order has not yet been released. The new rules will take effect 90 days after it is published in the Federal Register. The longer period was a concession to Commissioner Clyburn’s concerns about the burdens on state and local governments to comply with the new rules, which will impose a “shot clock” on state and local government review. Continue Reading
The Federal Communications Commission’s (“FCC’s” or “Commission’s”) new text-to-911 rules are effective today. As we discussed in a previous post immediately following the adoption of the related order, the FCC has mandated that all messaging services that permit users to send text messages using domestic telephone numbers also enable users to communicate with public emergency response providers via text messages. The FCC adopted its Second Report and Order and Third Notice of Proposed Rulemaking in the Text-to-911 proceeding on August 8, 2014. On September 16, the order and NPRM were published in the Federal Register making the rules effective today and setting the comment deadline on the NPRM for today, with reply comments due on November 17.
On September 30, 2014, AT&T Mobility (“AT&T”) asked a U.S. District Court judge to approve a settlement agreement that would resolve a class action arising under the Telephone Consumer Protection Act (“TCPA” or “Act”). In this case, the plaintiffs alleged that AT&T made auto-dialed calls to wireless phone numbers without receiving the prior express consent of the recipients, as required by the TCPA. Specifically, the plaintiffs’ allegations concerned collection calls made to former customers at the wireless number provided when the account was established with AT&T. AT&T disputed the plaintiffs’ claims, arguing that the recipients gave consent to receive these calls when they provided their phone number as the “can-be-reached-at” number for calls regarding AT&T customer accounts. Nevertheless, according to the joint motion submitted to the court, the company has agreed to pay $45 million to settle the dispute. This is one of the largest TCPA settlements in recent history, and continues a trend of high profile TCPA class actions. Continue Reading
On October 3rd, the FCC announced a settlement with Marriott International, Inc. and Marriott Hotel Services, Inc. to resolve an investigation into the hotel operator’s use of a Wi-Fi monitoring and blocking system. In the investigation, the Commission concluded that an operator cannot use such a system to prevent users from connecting to the Internet via their own personal Wi-Fi networks, rather than being limited to the hotel’s own Wi-Fi network, when these users did not pose a threat to the security of the hotel operator or its guests. This consent decree reminds hotel operators and property owners, as well as other property owners that, while they may control the deployment of fixed radio stations on their property, they may not interfere with communications, including Internet wireless access, that occur on their property using mobile devices. As part of the consent decree, the hotel operator agreed to pay $600,000 in “civil penalties” and to implement an extensive three-year compliance plan, with quarterly reporting, focusing on the hotel operator’s access point containment features at all of its U.S. properties, including properties owned and/or operated by the company.
In May of this year, the National Association of Broadcasters (NAB) petitioned the D.C. Circuit to review a Public Notice issued by the Media Bureau. The Public Notice, entitled “Processing of Broadcast Television Applications Proposing Sharing Arrangements and Contingent Interests,” explained a shift in how the Bureau will review certain broadcast license assignments and transfer applications. According to the Notice, transactions where two or more broadcasters in the same market plan to enter sharing agreements or create contingent financial interests will be reviewed with “careful” Commission scrutiny, a seemingly higher standard than the Bureau previously used for these types of transactions.
NAB argued that the Bureau does not have the authority to change the level of scrutiny for broadcast transactions that were otherwise “presumptively valid” under the Commission’s existing media ownership rules. The Association viewed the Public Notice as a “de facto” rule, effectively imposing new regulations without following the proper notice and comment requirements. NAB believed that the Media Bureau exceeded its delegated authority in issuing the Public Notice and that the Notice was “arbitrary, capricious, and an abuse of discretion,” violating the Administrative Procedure Act.
On September 9, the D.C. Circuit granted the FCC’s motion to dismiss, finding that the Court did not have the authority to review the Media Bureau’s Public Notice. The Court agreed with the FCC, stating that the Court only has the jurisdiction to review a “final agency order” and that the Public Notice in question was not a final agency order. Moreover, the Court pointed to a “clear statutory requirement” that the FCC must review a decision by its staff before that decision (or the underlying action) is reviewable by the Court.
Prior to filing its petition, NAB wrote two letters to the FCC’s Secretary, outlining why the Association disagreed with the FCC’s Public Notice. One of the letters ended with a “respectful request” that the “Commission direct the Bureau to withdraw the Public Notice and immediately cease and desist application of the strict scrutiny standard to sharing arrangements that involve contingent interests.” Despite this request, the Court found that the Association’s letter was not the “functional equivalent” of an application for review. To properly obtain judicial review, NAB should have filed a formal application for review with the FCC and waited for the Commission to rule on the application. The outcome of that ruling would then constitute a “final order,” reviewable by the Court.
In its original petition for review, NAB stated that it would be futile to petition the FCC regarding a Public Notice because by virtue of being published, the Notice was implicitly approved by the Commission. The D.C. Circuit did not buy this argument and required more concrete evidence to support NAB’s claim of “futility.”
The Court’s decision sends a strong signal to all parties before regulatory agencies, especially those in front of the FCC. Now, it is clear that if a party disagrees with an agency’s position in a Public Notice, it must file a formal petition for review by the Commission. Only then, will the Court find it has the jurisdiction to review the agency’s action and possibly the underlying Notice. Applications for review must be filed within 30 days of a Public Notice and according to the FCC, the party’s application should explicitly state that the petitioner is submitting an application for review pursuant to 47 C.F.R. § 1.115.
On Tuesday, September 23, the Federal Communications Commission (“FCC” or “Commission”) released an Order reconsidering certain provisions of its February 2013 order adopting a new regulatory framework for consumer and industry use of wireless signal boosters. A companion Further Notice of Proposed Rulemaking (“FNPRM”) seeks comment on whether to remove a “personal use” restriction on the operation of certain kinds of signal boosters. Comments will be due 30 days after Federal Register publication and reply comments 20 days later.
The February Signal Booster Order adopted new technical, operational and registration requirements for two classes of signal boosters – Consumer and Industrial. For Consumer signal boosters, the FCC adopted design and manufacturing requirements (the Network Protection Standard or NPS) which must be met before such boosters could be used, with the consent of licensed commercial mobile radio service, CMRS, providers. The major CMRS carriers agreed to blanket consent by registration of qualified Consumer Boosters. The Commission adopted different technical parameters for two categories of Commercial Boosters: Wideband Consumer Signal Boosters (that operate across multiple carriers) and Provider-Specific Consumer Signal Boosters.
First, in the Order, the Commission agreed with the petition for reconsideration filed by a group called the Wi-Ex Petitioners and streamlined its equipment certification process for Wideband Consumer Signal Boosters by amending certain technical requirements related to downlink noise and gain limits. Second, the Commission agreed with a widely supported joint statement proposing revised technical rules for the manufacture and operation of mobile Provider-Specific Consumer Signal Boosters. The joint statement was filed after successful negotiations between the group that petitioned for reconsideration (the Verizon Petitioners) and a company called Nextivity that had opposed the petition. The rules are modified to require all mobile Provider-Specific Consumer Signal Boosters to meet the same noise limits as mobile Wideband Consumer Signal Boosters. The FCC also modified the applicable kitting and labeling requirements. With one exception, the rules will take effect 30 days after publication in the Federal Register.
In the Further Notice, the FCC seeks comment regarding whether it should relax the rules for Provider-Specific Consumer Signal Boosters and drop the “personal use” restriction applicable to them. The Commission is considering this rule modification given that the booster user will have obtained consent from its CMRS provider, which presumably will allow the carriers to adequately control booster use without continued need for the restriction. (The “personal use” restriction also applies to Wideband Consumer Signal Boosters, but no change for this category is proposed).