FCC Releases Enforcement Advisory Regarding Privacy and Internet Service Providers

On May 20, the FCC released an enforcement advisory regarding the enforcement of Section 222 of the Communications Act as it relates to providers of broadband Internet access service (BIAS). The advisory bulletin indicates that, until the FCC implements new BIAS-specific privacy regulations, the Enforcement Bureau will “focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Thus, “the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”


Spotlight on Vendor Management: “Brother’s Keeper” Enforcement Pattern Becoming the Norm

Moorari-Shah-webElizabeth-McGinn-webTwo regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management.  First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers.  The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties.  In holding the carrier responsible, the FCC issued its largest data security enforcement action to date.  Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.

“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler.  “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.”    Read more…


FCC Enters Into $25 Million Settlement Following Cell Phone Carrier Data Breach

On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.


FCC Joins Global Privacy Enforcement Network

On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.


ABA Petitions FCC To Allow Security And Fraud Alerts To Customers Without Consent

On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.


FCC Settles With Large Mobile Telephone Company In Connection With Hidden Third-Party Charges

On October 8, the FCC announced a $105 million settlement – the largest in the agency’s history – with a mobile telephone company to resolve allegations that the company engaged in unauthorized billing practices. According to the FCC, the company charged customers for third-party services, such as subscriptions for ringtones, wallpapers, and certain premium text messages, for which they did not sign up. Many customers contested the charges, only to discover that the company either refused to issue refunds or refunded them for only one or two months. Under the terms of the settlement, which the FCC negotiated with the FTC and the attorney generals of the 50 states and the District of Columbia, the company must pay $80 million to the current and former customers affected by its billing practices, $20 million to the state governments involved in the settlement, and $5 million to the U.S. Treasury.

COMMENTS: Comments Off
POSTED IN: Consumer Finance, Federal Issues

Senate Confirms FHA Commissioner and Other Key Agency Nominees

On December 30, the Senate confirmed Carol Galante as Assistant Secretary of Housing and Urban Development and Federal Housing Administration Commissioner. Ms. Galante, who was nominated for the position in October 2011, has been serving in an acting role. Her confirmation was made possible after certain Senators, including Bob Corker (R-TN), who had expressed concerns about the pace of reforms at the FHA, secured a commitment from Ms. Galante to (i) place a moratorium on the full drawdown reverse mortgage program, (ii) substantially increase underwriting criteria for borrowers with FICO scores between 580 and 620 by establishing a meaningful maximum debt-to-income ratio, (iii) increase the down payment requirement and the insurance pricing for loans between $625,000 and $729,000, and (iv) increase underwriting requirements for borrowers who have been foreclosed upon within the last seven years. On January 1, as described in media reports, the Senate confirmed Joshua Wright as FTC Commissioner and Mignon Clyburn as FCC Commissioner, and also confirmed Richard Berner for the new position of Director of the Treasury Department’s Office of Financial Research.


Ninth Circuit Upholds Class Certification in TCPA Case

On October 12, the U.S. Court of Appeals for the Ninth Circuit upheld provisional class certification for a plaintiff debtor, who claimed that a debt collector had violated  the Telephone Consumer Protection Act (TCPA)  by using an automatic dialer to place calls to plaintiff and other debtors’ cellular telephone numbers obtained via skip-tracing, and where the debtors also had not expressly consented to be called. Meyer v. Portfolio Recovery Assocs. LLC, No. 11-56600, 2012 WL 4840814 (9th Cir. Oct. 12, 2012). The debt collector argued, in part, that typicality or commonality issues should preclude class certification because some debtors might have agreed to be contacted at their telephone numbers, which were obtained after the debtors incurred the debt at issue. Citing a recent FCC declaratory ruling, the court noted that prior express consent is deemed granted only if the debtor provides a cellular telephone number at the time of the transaction that resulted in the debt at issue. The court thus rejected the debt collector’s argument, and held that debtors who provide their cellular telephone numbers after the time of the original transaction are not deemed to have consented to be contacted under the TCPA. In addition, the court upheld the district court’s grant of a preliminary injunction to the plaintiff, finding that he had established a likelihood of success on his TCPA claim and had demonstrated irreparable harm based on the debt collector’s continuing violations of that statute.


FCC Seeks Comments on Mobile Device Privacy, Data Security

Recently, the FCC released a request for public comment on the privacy and data security of personal information on mobile devices.  The request focuses on the amount and types of consumer information that may be collected by carriers. For example, the FCC lists a series of factors, including (i) the degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information, (ii) the manner in which the collected information is used, and (iii) the role of third parties in collecting and storing data, and asks which, if any, are relevant to assessing a wireless provider’s obligations under the Communications Act and the Commission’s implementing rules. The FCC will accept public comments for 30 days from publication of the request in the Federal Register. In 2007, the FCC similarly solicited comments and revised its rules under the Communications Act to tighten data security requirements and address pretexting.