Data Law Insights

FCC’s expands data security enforcement; Sprint settles FCRA claims; $12.5M fine for background screening agencies; Congress considers auto cybersecurity study; No FCC “do not track” rules; Safe harbor alternatives; No SCA liability for inadvertent disclosure

FCC takes first enforcement action related to cable operator’s data security

The Federal Communications Commission fined Cox Communications $595,000 for failing to employ proper security and notification practices related to its 2014 data breach.  The Communications Act of 1934 requires cable operators to protect subscribers’ personally identifiable information.  Cox, the third-largest cable provider in the U.S., suffered a data breach when social engineering and phishing efforts resulted in unauthorized access to Cox’s customer database.  Specifically, an unauthorized user pretended to be a Cox representative and convinced a contractor and tech support representative to provide access credentials into a fake Cox website.  Cox notified the FBI and later sent notice to most of the affected customers, but never reported the breach to FCC.  The FCC’s fine comes on the heels of an investigation into whether Cox properly protected customers’ proprietary information and provided prompt notice to affected customers and law enforcement authorities.  In addition to paying the penalty, Cox must comply with requirements designed to improve its data security practices, notify all affected current and former customers of the breach, and provide those affected with free credit monitoring services.  This is the FCC’s third enforcement action this year related to violations of the Communications Act, and its first action against a cable provider. Companies should review whether data security procedures account for attacks using social engineering.  This may include multi-factor authentication for all employees, minimizing the number of employees with access to customers’ personal information, and procedures and sanctions governing third-party compliance with security procedures.  Companies should also ensure their notice practices account for all affected individuals and the relevant government agencies.

Sprint settles FCRA suit for $2.95 million

Sprint has agreed to pay $2.95 million to settle charges that it violated the Fair Credit Reporting Act (“FCRA”) .  The FTC complaint alleged that Sprint violated the FCRA when it placed certain consumers with lower credit scores in a program that which required a monthly fee in addition to phone service charges.  Sprint allegedly failed to send proper Risk-Based Pricing Notice that included all information required by law, including the use of and information in consumers’ credit reports, and that the program terms may have been less favorable than terms offered to consumers with better credit scores.  Furthermore, these notices were allegedly sent after a) the monthly program fee had been charged and b) the time period during which customers could cancel their service without a termination fee, thus denying consumers the opportunity to explore service with other carriers.  The settlement requires Sprint to not only pay the fine but also send corrected notices to existing consumers and notice to future customers within a time period that allows consumers to avoid the service program’s recurring monthly fee.  This is a reminder that companies should review their notice practices to ensure not only compliance with content requirements, but also the timing of such notice where consumers pay are billed after using a service and would thus be deprived of an opportunity to challenge the information or shop for an alternative before incurring financial obligations or penalties.

Background screening agencies fined $12.5 million for FCRA violations

The Consumer Financial Protection Bureau issued a $12.5 million fine to two employment background screening companies for allegedly violating the FCRA .  The CFPB alleged that the agencies failed to a) maintain written procedures for ensuring maximum accuracy of information contained in reports concerning the target individuals, b) ensure that individual information contained in the reports was up-to-date, and c) exclude non-reputable information from the background reports.  Pursuant to a consent order, the agencies will pay $1.25 million each in civil penalties.  The agencies will also set aside $10.5 million for providing redress to customers affected by their violations; any amount remaining after all customers have received relief will be submitted to the government as disgorgement.

Congress to consider automotive cybersecurity study

Congress will consider a bill authorizing a one-year study of automotive cybersecurity . The Security and Privacy in Your Car Act, or the “SPY Car Study Act,” would establish a cross-sector study, engaging federal agencies, industry leaders, and higher education institutions to examine best practices and recommend a framework for regulating automotive software.  The House bill, introduced by Rep. Joe Wilson (R-S.C.) and Rep. Ted Lieu (D-Calif.), is considered less ambitious than a similar bill introduced in the Senate earlier this year, which called on the FTC and the NHTSA to develop vehicle cybersecurity standards.  Rep. Wilson explained that the House bill would allow for an accurate assessment of the cybersecurity field before mandating changes to the automotive cybersecurity landscape.  This is yet another signal that Congress intends to regulate in this space, and manufacturers should begin considering best practices and procedures for vehicle cybersecurity.

FCC declines invitation to create “Do Not Track” rules

The FCC has dismissed a petition that would require “edge” providers such as Google, Facebook, and Netflix to honor consumers’ “do not track” requests [link: https://www.fcc.gov/document/bureau-dismisses-petition-regulate-edge-provider-privacy-practices ].  The petition sought application of the privacy regulations in Section 222 of the Communications Act to website operators.  In its dismissal order, the FCC explained that it has no intent to regulate “edge” providers.  Even though the FCC has classified broadband Internet access service (“BIAS”) providers as a telecommunications service under Section 222, the existing rules in that section governing voice services are ill-suited to apply to broadband Internet access services.  Thus, the agency would maintain its previously-stated position and decline to apply Section 222 to BIAS providers.

European Commission confirms alternatives for transatlantic transfers

The European Commission issued guidance addressing alternative methods for transatlantic data transfer in the absence of a safe harbor agreement.  The Commission identified viable transfer mechanisms such as contract clauses, intra-corporate transfers, and derogations previously identified by the Commission.  This analysis largely echoes last month’s statements by the Article 29 Working Party concerning safe harbor alternatives.  The Commission noted that its guidance is not binding on member states, and those states are free to examine and supervise data transfers.  For entities transferring data with one of the EU member states, it remains important to consider the positions of the governing authorities.  Some countries have accepted some or all of the aforementioned alternatives, while others have questioned or outright rejected them.  In the absence of a statement by the governing authorities, the Commission’s decision may be the best guide for proceeding until the announcement of a new safe harbor agreement.

No SCA liability for inadvertent disclosure in response to subpoena

The U.S. Court of Appeals for the Sixth Circuit held that an internet and cable provider did not violate the Stored Communications Act (“SCA”) when it inadvertently disclosed a customer’s IP address .  In Long v. Insight Communications, the plaintiffs alleged that in response to a grand jury subpoena, the defendant service provider misidentified one of the plaintiffs as the subscriber assigned to the IP address targeted by the subpoena and, as a result, disclosed the plaintiffs’ address and telephone number.  The plaintiffs alleged that this intentional act of disclosure violated the SCA, which prohibits service providers from “knowingly divulg[ing]” subscriber information to a government entity, subject to exceptions.  The court dismissed the claim, finding an absence of any allegation that the defendant was aware of the error at the time of disclosure.  Noting that the SCA prohibits knowing disclosure, the court rejected plaintiffs’ argument that SCA liability could exist where a provider negligently or recklessly failed to ensure the accuracy of a response to a subpoena.  This decision illustrates the high standard for SCA liability, namely that the element of intent applies to the inclusion of the customer’s information, not simply the decision to make a disclosure.