On June 18, the FCC held an Open Commission Meeting, during which the Commission adopted Chairman Wheeler’s proposal to strengthen consumer protection under the TCPA. The set of declaratory rulings included in the proposal affirms consumers’ rights to revoke their consent to receive robocalls or robotexts at any reasonable time an in any reasonable way, and gives carriers the ability to provide consumers with “Do Not Disturb” technology. The Commission’s June 18 Action by Declaratory Ruling and Order was described as an effort to close “loopholes and [strengthens] consumer protections already on the books.”
On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information. The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine. Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training. FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.
FCC Chairman Circulates Proposal to Strengthen Consumer Protection Under the TCPA; Open Meeting Scheduled For June 18
On May 27, the FCC released a fact sheet outlining Chairman Wheeler’s proposal for a series of rulings under the Telephone Consumer Protection Act (TCPA) that he asserts will better protect American consumers from unsolicited robocalls, spam text messages, and telemarketing calls. If adopted, the proposal would, among other things: (i) give consumers the right to revoke their consent to receive robocalls and robotexts at any reasonable time and in any reasonable way; (ii) authorize carriers to offer robocall-blocking or “Do Not Disturb” technologies to consumers; and (iii) require robocallers to stop calling a number when it has been reassigned to a new subscriber. Responding to multiple petitions that “sought clarity on how the Commission enforces” the TCPA, the proposal aims to “close loopholes and strengthen consumer protections already on the books.” The Chairman’s proposal is scheduled to be voted on at the Open Commission Meeting on June 18.
On May 20, the FCC released an enforcement advisory regarding the enforcement of Section 222 of the Communications Act as it relates to providers of broadband Internet access service (BIAS). The advisory bulletin indicates that, until the FCC implements new BIAS-specific privacy regulations, the Enforcement Bureau will “focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Thus, “the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”
Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management. First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers. The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties. In holding the carrier responsible, the FCC issued its largest data security enforcement action to date. Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.
“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.” Read more…
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
On October 8, the FCC announced a $105 million settlement – the largest in the agency’s history – with a mobile telephone company to resolve allegations that the company engaged in unauthorized billing practices. According to the FCC, the company charged customers for third-party services, such as subscriptions for ringtones, wallpapers, and certain premium text messages, for which they did not sign up. Many customers contested the charges, only to discover that the company either refused to issue refunds or refunded them for only one or two months. Under the terms of the settlement, which the FCC negotiated with the FTC and the attorney generals of the 50 states and the District of Columbia, the company must pay $80 million to the current and former customers affected by its billing practices, $20 million to the state governments involved in the settlement, and $5 million to the U.S. Treasury.
On December 30, the Senate confirmed Carol Galante as Assistant Secretary of Housing and Urban Development and Federal Housing Administration Commissioner. Ms. Galante, who was nominated for the position in October 2011, has been serving in an acting role. Her confirmation was made possible after certain Senators, including Bob Corker (R-TN), who had expressed concerns about the pace of reforms at the FHA, secured a commitment from Ms. Galante to (i) place a moratorium on the full drawdown reverse mortgage program, (ii) substantially increase underwriting criteria for borrowers with FICO scores between 580 and 620 by establishing a meaningful maximum debt-to-income ratio, (iii) increase the down payment requirement and the insurance pricing for loans between $625,000 and $729,000, and (iv) increase underwriting requirements for borrowers who have been foreclosed upon within the last seven years. On January 1, as described in media reports, the Senate confirmed Joshua Wright as FTC Commissioner and Mignon Clyburn as FCC Commissioner, and also confirmed Richard Berner for the new position of Director of the Treasury Department’s Office of Financial Research.
On October 12, the U.S. Court of Appeals for the Ninth Circuit upheld provisional class certification for a plaintiff debtor, who claimed that a debt collector had violated the Telephone Consumer Protection Act (TCPA) by using an automatic dialer to place calls to plaintiff and other debtors’ cellular telephone numbers obtained via skip-tracing, and where the debtors also had not expressly consented to be called. Meyer v. Portfolio Recovery Assocs. LLC, No. 11-56600, 2012 WL 4840814 (9th Cir. Oct. 12, 2012). The debt collector argued, in part, that typicality or commonality issues should preclude class certification because some debtors might have agreed to be contacted at their telephone numbers, which were obtained after the debtors incurred the debt at issue. Citing a recent FCC declaratory ruling, the court noted that prior express consent is deemed granted only if the debtor provides a cellular telephone number at the time of the transaction that resulted in the debt at issue. The court thus rejected the debt collector’s argument, and held that debtors who provide their cellular telephone numbers after the time of the original transaction are not deemed to have consented to be contacted under the TCPA. In addition, the court upheld the district court’s grant of a preliminary injunction to the plaintiff, finding that he had established a likelihood of success on his TCPA claim and had demonstrated irreparable harm based on the debt collector’s continuing violations of that statute.
Recently, the FCC released a request for public comment on the privacy and data security of personal information on mobile devices. The request focuses on the amount and types of consumer information that may be collected by carriers. For example, the FCC lists a series of factors, including (i) the degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information, (ii) the manner in which the collected information is used, and (iii) the role of third parties in collecting and storing data, and asks which, if any, are relevant to assessing a wireless provider’s obligations under the Communications Act and the Commission’s implementing rules. The FCC will accept public comments for 30 days from publication of the request in the Federal Register. In 2007, the FCC similarly solicited comments and revised its rules under the Communications Act to tighten data security requirements and address pretexting.