The FCC is charging two smaller ISPs, sister companies Terracom and Yourtel, with a $3.5 million fine for violating consumer privacy and for over-billing of the federal Lifeline program.
It would probably be more accurate to say that these ISPs are responsible for carelessly storing consumer information more than violating the privacy of its consumers. According to the FCC, the two companies failed to keep the confidential personal information of over 300,000 consumers using their services.
The personal information, which includes names, addresses, social security numbers, driver's licenses, and other confidential data, was stored by the companies on an unprotected server, which was accessible over the Internet in a manner that allowed anyone with a search engine to access the information. Given the ease with which anyone could access the data, it isn't surprising that the companies' servers were breached and the data copied.
In addition to the data breach, the companies also were found to be taking advantage of the Lifeline program that provides affordable telephone service to those in need. The FCC has been responsible for regulating this program since its inception. Essentially, a company gives an eligible family the telephone service for a lower than average price, and the FCC afterwards reimburses the companies the difference.
The FCC had previously instructed the companies to remove Lifeline subscribers who were not eligible for the program. Specifically, some Lifeline subscribers were being claimed under both service providers, allowing them to draw reimbursement money from the FCC without actually providing any service.
"Consumers rightly expect that companies will take every reasonable precaution to protect their personal information," said Travis LeBlanc, Chief of the FCC's Enforcement Bureau. "It is a breach of customer trust for a company to promise to protect personal information while failing to take reasonable measures to protect sensitive customer information from unauthorized access by anyone with a search engine. This settlement ensures that these companies take concrete steps to improve their security practices and prevent breaches like this from happening again."
The FCC opted to charge the companies a joint $3.5 million in civil penalties for the privacy violation, and partially as a settlement for overcharging Lifeline. Both companies also committed to improving their security and privacy measures to avoid a similar breach from occurring in the future. They also are required to inform their users who had information stolen about the situation.
One could argue that this is a wholly inadequate response from the FCC. ISPs, even small ones, are extremely profitable businesses. Large ISPs see billion dollar profits annually, while smaller ISPs often manage to make hundreds of millions. Compared to the damage done, this is little more than a slap on the wrist.
Not to mention, at this time nothing is being done to reimburse the customers harmed by this. Right now, many of them are likely still unaware their information has been stolen. Someone could be using their personal information to do any number of things. It is a major inconvenience that these customers have to change their phone number to avoid unwanted calls, but worrying about identity theft will be a major headache for these people.
At the end of the day, it seems like a weak response to a major problem that never should have happened.