On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
On October 8, the FCC announced a $105 million settlement – the largest in the agency’s history – with a mobile telephone company to resolve allegations that the company engaged in unauthorized billing practices. According to the FCC, the company charged customers for third-party services, such as subscriptions for ringtones, wallpapers, and certain premium text messages, for which they did not sign up. Many customers contested the charges, only to discover that the company either refused to issue refunds or refunded them for only one or two months. Under the terms of the settlement, which the FCC negotiated with the FTC and the attorney generals of the 50 states and the District of Columbia, the company must pay $80 million to the current and former customers affected by its billing practices, $20 million to the state governments involved in the settlement, and $5 million to the U.S. Treasury.
On December 30, the Senate confirmed Carol Galante as Assistant Secretary of Housing and Urban Development and Federal Housing Administration Commissioner. Ms. Galante, who was nominated for the position in October 2011, has been serving in an acting role. Her confirmation was made possible after certain Senators, including Bob Corker (R-TN), who had expressed concerns about the pace of reforms at the FHA, secured a commitment from Ms. Galante to (i) place a moratorium on the full drawdown reverse mortgage program, (ii) substantially increase underwriting criteria for borrowers with FICO scores between 580 and 620 by establishing a meaningful maximum debt-to-income ratio, (iii) increase the down payment requirement and the insurance pricing for loans between $625,000 and $729,000, and (iv) increase underwriting requirements for borrowers who have been foreclosed upon within the last seven years. On January 1, as described in media reports, the Senate confirmed Joshua Wright as FTC Commissioner and Mignon Clyburn as FCC Commissioner, and also confirmed Richard Berner for the new position of Director of the Treasury Department’s Office of Financial Research.
On October 12, the U.S. Court of Appeals for the Ninth Circuit upheld provisional class certification for a plaintiff debtor, who claimed that a debt collector had violated the Telephone Consumer Protection Act (TCPA) by using an automatic dialer to place calls to plaintiff and other debtors’ cellular telephone numbers obtained via skip-tracing, and where the debtors also had not expressly consented to be called. Meyer v. Portfolio Recovery Assocs. LLC, No. 11-56600, 2012 WL 4840814 (9th Cir. Oct. 12, 2012). The debt collector argued, in part, that typicality or commonality issues should preclude class certification because some debtors might have agreed to be contacted at their telephone numbers, which were obtained after the debtors incurred the debt at issue. Citing a recent FCC declaratory ruling, the court noted that prior express consent is deemed granted only if the debtor provides a cellular telephone number at the time of the transaction that resulted in the debt at issue. The court thus rejected the debt collector’s argument, and held that debtors who provide their cellular telephone numbers after the time of the original transaction are not deemed to have consented to be contacted under the TCPA. In addition, the court upheld the district court’s grant of a preliminary injunction to the plaintiff, finding that he had established a likelihood of success on his TCPA claim and had demonstrated irreparable harm based on the debt collector’s continuing violations of that statute.
Recently, the FCC released a request for public comment on the privacy and data security of personal information on mobile devices. The request focuses on the amount and types of consumer information that may be collected by carriers. For example, the FCC lists a series of factors, including (i) the degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information, (ii) the manner in which the collected information is used, and (iii) the role of third parties in collecting and storing data, and asks which, if any, are relevant to assessing a wireless provider’s obligations under the Communications Act and the Commission’s implementing rules. The FCC will accept public comments for 30 days from publication of the request in the Federal Register. In 2007, the FCC similarly solicited comments and revised its rules under the Communications Act to tighten data security requirements and address pretexting.