A recent decision by the Federal Communications Commission’s (“FCC”) Wireline Competition Bureau confirms the FCC seeks to avoid regulating Internet edge providers, despite recent Open Internet efforts that subject Broadband Internet Access Service providers to limited Title II regulations.
In another matter touching upon customer privacy/data security, the FCC’s Enforcement Bureau brought its first data breach case against a cable operator, fining Cox Communications $595,000 for inadequate data security measures.
The two recent news items provide more examples of how the nation’s telecommunications regulator is increasingly looking to assert itself as the central agency responsible for regulating privacy and data security compliance matters impacting the Internet ecosystem. Rather than outright state the rules that govern privacy and data security, however, the FCC’s approach appears to be piecemeal and ad hoc — both announcing and foreclosing approaches to regulating privacy law matters on a case-by-case basis.
Wireline Competition Bureau takes regulation of edge providers off the table, for now
The FCC’s Wireline Competition Bureau denied a petition filed by a consumer group that would have required edge providers such as Google, Facebook, YouTube, Pandora, Netflix and LinkedIn to honor consumer requests to opt-out of online tracking.
The consumer group, Consumer Watchdog, filed the petition earlier in the year after the FCC reclassified broadband Internet access service (“BIAS”) as a telecommunications service under Title II of the Communication Act. Consumer Watchdog argued that the new regulatory scheme was insufficient, because by regulating privacy practices of BIAS providers but not edge providers, the FCC rules gave edge providers an unfair “regulatory advantage.”
The consumer group instead asked the FCC to regulate the privacy practices of edge providers by facilitating the development and implementation of a ‘Do Not Track’ standard method of allowing consumers to opt-out of online tracking.
But in Friday’s decision, the Wireline Competition Bureau underscored the limited scope of the FCC’s Open Internet Order: “reclassification of broadband Internet access service involves only the transmission component of Internet access service.” Edge providers are not subject to the same regulatory scrutiny as BIAS providers. Thus, while the FCC will develop new privacy rules that apply to BIAS providers under section 222 of the Communications Act, the FCC will not pursue privacy rules for other Internet services, at least for the time being. As a result, the Bureau declined Consumer Watchdog’s invitation to develop rules for these unregulated companies.
Enforcement Bureau fines cable provider $595,000 for inadequate security measures
The FCC also announced a settlement agreement with Cox Communications last week to end an investigation of the cable operator’s inadequate security measures that led to the breach of sensitive customer information. The agreement, which represented the FCC’s first data security case against a cable operator, requires the company to pay a civil penalty of $595,000 and to develop a compliance plan to prevent against future breaches. The FCC’s Enforcement Bureau will then monitor the company’s data security program for seven years.
The FCC’s case centered on a data breach that took place late last year, where a third party hacker impersonated a Cox official and gained access to customer records. The company lacked technical safeguards, including multi-factor authentication, which the FCC says might have reduced the likelihood of a breach.
As part of the company’s consent order, the FCC is requiring the company to take specific actions, including:
Designate a compliance officer;
Conduct a comprehensive risk assessment to identify internal or external risks to the security, confidentiality, and integrity of the personal information and customer proprietary network information (“CPNI”) that the company collects;
Revise its information security program, with an emphasis on ensuring the protection of personal information and CPNI;
Conduct annual penetration testing of systems related to the collection and storage of personal information and CPNI;
Develop a breach notification plan that ensures the company notifies the correct parties as required under federal and state law;
Offer services, including credit monitoring, to affected customers.
Individual FCC consent orders are instructive because they provide a template for the business community when making decisions on how to structure data security operations to protect customer privacy. If you have any questions regarding your privacy obligations under developing FCC privacy law, please contact Linda McReynolds, lgm@commlawgroup.com – 703-714-1318.