On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.
On November 16, the FCC and the FTC executed a Memorandum of Understanding (MOU) on continued cooperative efforts to protect consumers from unfair and deceptive acts and practices involving telecommunications services. In an effort to formalize existing cooperation among the agencies, the MOU outlines the ways in which the two agencies will continue to work together, including: (i) coordinating agency initiatives where one agency’s action will significantly impact the other agency’s authority or programs; (ii) sharing investigative techniques and tools, intelligence, technical and legal expertise, as necessary, in addition to best practices in response to reasonable requests for such assistance; and (iii) collaborating on consumer and industry outreach and education efforts, as appropriate. Moreover, the MOU identifies the scope of each agency’s enforcement authority with respect to common carriers, and confirms that the 2003 MOU regarding Telemarketing Enforcement between the two agencies remains effective, stating that the most recent MOU should not “be construed as altering, amending, or invalidating that  MOU.”
On September 11, the FCC issued citations against a Pennsylvania-based financial institution and a transportation network company (TNC), alleging that both companies engaged in unlawful business practices by infringing consumers’ rights to be free of unauthorized telemarketing robocalls to residential and wireless phones. The financial institution’s citation alleges that the bank required customers to agree to receive autodialed telemarketing texts in order to use its online banking and Apple Pay services. The TNC’s citation alleges that, although it allows consumers who sign up for ride-sharing service to opt out of receiving autodialed or prerecorded telemarketing calls and texts, the TNC does not allow users to access the service if they exercise these opt out rights. Both citations allege that these practices violate the FCC’s rules implementing the Telephone Consumer Protection Act (TCPA), and direct the companies to take immediate steps to come into compliance with the FCC’s rules, orders, and the TCPA prohibition against unlawful marketing and advertising calls. The FCC also warned that future violations may result in monetary forfeitures.
District Court Finds that Texts Sent Via Mobile App Not Subject to TCPA Due to Users’ “Affirmative Choices” to Send Messages
On August 24, a California district court ruled in favor of a rewards-based app company, rejecting plaintiffs’ arguments that the company violated the Telephone Consumer Protection Act (TCPA). Huricks v. Shopkick, Inc., No. c-14-2464-mmc (N.D. Cal. Aug. 24, 2015). In Huricks, plaintiffs brought a putative class action, arguing that the company’s mobile app sent spam text messages with links to the company’s website to mobile phones without consumers’ consent in violation of the TCPA and a derivative claim under the California Business and Professions Code. In rejecting plaintiffs’ claims and granting summary judgment on all counts, the court relied on a recent FCC Order where the FCC ruled, among other matters, that a company was not the maker or initiator of invitational text messages subject to the TCPA’s requirements when users of the app make a series of “affirmative choices” in order for the text messages to be sent. The court ruled that, even though the company controlled the text message’s content, the company’s evidence established that a user of its app “must [have] proceed[ed] through a multi-step invitation flow within the app” to cause text messages to be sent to the user’s contacts. The court noted that users of the app had to (i) tap a button to invite friends, (ii) choose which contacts to invite, and (iii) choose to send the text message by selecting another button. The court concluded the company was not the initiator of these texts under the TCPA and granted the company’s motion for summary judgment.
On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information. The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine. Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training. FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.
On June 18, the FCC held an Open Commission Meeting, during which the Commission adopted Chairman Wheeler’s proposal to strengthen consumer protection under the TCPA. The set of declaratory rulings included in the proposal affirms consumers’ rights to revoke their consent to receive robocalls or robotexts at any reasonable time an in any reasonable way, and gives carriers the ability to provide consumers with “Do Not Disturb” technology. The Commission’s June 18 Action by Declaratory Ruling and Order was described as an effort to close “loopholes and [strengthens] consumer protections already on the books.”
FCC Chairman Circulates Proposal to Strengthen Consumer Protection Under the TCPA; Open Meeting Scheduled For June 18
On May 27, the FCC released a fact sheet outlining Chairman Wheeler’s proposal for a series of rulings under the Telephone Consumer Protection Act (TCPA) that he asserts will better protect American consumers from unsolicited robocalls, spam text messages, and telemarketing calls. If adopted, the proposal would, among other things: (i) give consumers the right to revoke their consent to receive robocalls and robotexts at any reasonable time and in any reasonable way; (ii) authorize carriers to offer robocall-blocking or “Do Not Disturb” technologies to consumers; and (iii) require robocallers to stop calling a number when it has been reassigned to a new subscriber. Responding to multiple petitions that “sought clarity on how the Commission enforces” the TCPA, the proposal aims to “close loopholes and strengthen consumer protections already on the books.” The Chairman’s proposal is scheduled to be voted on at the Open Commission Meeting on June 18.
On May 20, the FCC released an enforcement advisory regarding the enforcement of Section 222 of the Communications Act as it relates to providers of broadband Internet access service (BIAS). The advisory bulletin indicates that, until the FCC implements new BIAS-specific privacy regulations, the Enforcement Bureau will “focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Thus, “the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”
Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management. First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers. The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties. In holding the carrier responsible, the FCC issued its largest data security enforcement action to date. Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.
“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.” Read more…
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
On October 8, the FCC announced a $105 million settlement – the largest in the agency’s history – with a mobile telephone company to resolve allegations that the company engaged in unauthorized billing practices. According to the FCC, the company charged customers for third-party services, such as subscriptions for ringtones, wallpapers, and certain premium text messages, for which they did not sign up. Many customers contested the charges, only to discover that the company either refused to issue refunds or refunded them for only one or two months. Under the terms of the settlement, which the FCC negotiated with the FTC and the attorney generals of the 50 states and the District of Columbia, the company must pay $80 million to the current and former customers affected by its billing practices, $20 million to the state governments involved in the settlement, and $5 million to the U.S. Treasury.
On December 30, the Senate confirmed Carol Galante as Assistant Secretary of Housing and Urban Development and Federal Housing Administration Commissioner. Ms. Galante, who was nominated for the position in October 2011, has been serving in an acting role. Her confirmation was made possible after certain Senators, including Bob Corker (R-TN), who had expressed concerns about the pace of reforms at the FHA, secured a commitment from Ms. Galante to (i) place a moratorium on the full drawdown reverse mortgage program, (ii) substantially increase underwriting criteria for borrowers with FICO scores between 580 and 620 by establishing a meaningful maximum debt-to-income ratio, (iii) increase the down payment requirement and the insurance pricing for loans between $625,000 and $729,000, and (iv) increase underwriting requirements for borrowers who have been foreclosed upon within the last seven years. On January 1, as described in media reports, the Senate confirmed Joshua Wright as FTC Commissioner and Mignon Clyburn as FCC Commissioner, and also confirmed Richard Berner for the new position of Director of the Treasury Department’s Office of Financial Research.
On October 12, the U.S. Court of Appeals for the Ninth Circuit upheld provisional class certification for a plaintiff debtor, who claimed that a debt collector had violated the Telephone Consumer Protection Act (TCPA) by using an automatic dialer to place calls to plaintiff and other debtors’ cellular telephone numbers obtained via skip-tracing, and where the debtors also had not expressly consented to be called. Meyer v. Portfolio Recovery Assocs. LLC, No. 11-56600, 2012 WL 4840814 (9th Cir. Oct. 12, 2012). The debt collector argued, in part, that typicality or commonality issues should preclude class certification because some debtors might have agreed to be contacted at their telephone numbers, which were obtained after the debtors incurred the debt at issue. Citing a recent FCC declaratory ruling, the court noted that prior express consent is deemed granted only if the debtor provides a cellular telephone number at the time of the transaction that resulted in the debt at issue. The court thus rejected the debt collector’s argument, and held that debtors who provide their cellular telephone numbers after the time of the original transaction are not deemed to have consented to be contacted under the TCPA. In addition, the court upheld the district court’s grant of a preliminary injunction to the plaintiff, finding that he had established a likelihood of success on his TCPA claim and had demonstrated irreparable harm based on the debt collector’s continuing violations of that statute.