Whenever there is a data breach, it is usually the attackers that are blamed and deemed responsible. The U.S. Federal Communication Commission (FCC), however, has a slightly more nuanced view and wants operators to take responsibility for their own security.
On Oct. 24, the FCC issued a statement about a fine it is planning against TerraCom and YourTel America for not properly securing information for 305,000 consumers.
The FCC alleges that the carriers did not properly secure user information and that customer names, addresses and Social Security numbers were stored on publicly accessible Internet servers.
According to the FCC, the carriers claimed they secured user information, but an investigation found that from September 2012 to April 2013, basic security measures were not in place.
The FCC plans to fine TerraCom and YourTel a total of $10 million because they did not have proper security measures in place to protect user information.
“Failure to take reasonable steps to secure consumer information is a clear breach of a carrier’s duty to protect the confidentiality of the customer information they collect,” FCC Chairman Tom Wheeler stated. “The commission has a responsibility under the Communications Act to ensure that those service providers and network operators take reasonable steps to honor that public trust, and to protect consumers from harm caused by violations of the Communications Act. That is exactly what we are doing today.”
Not everyone at the FCC agrees with the fine. FCC Commissioner Michael O’Reilly issued a dissenting statement on the fine. O’Reilly agrees that consumer information was improperly put at risk, though he disagrees that the FCC has the authority to issue such a fine.
Commissioner Ajit Pai has also issued a dissenting opinion. “In this case, there is no pre-existing legal obligation to protect personally identifiable information [also known as PII] or notify customers of a PII data breach to enforce,” Pai stated. “The commission has never interpreted the Communications Act to impose an enforceable duty on carriers to employ reasonable data security practices to protect PII.”
It’s clear that the FCC is trying to act in the best interests of consumers with this ruling. The allegation that the carriers did not protect user information is a serious one. It likely should be the responsibility of those entrusted with personally identifiable information to protect that information. The issue of whether the FCC has the legal authority to actually enforce that responsibility is another question.
There is no shortage of attackers in the world today looking to exploit leaky databases and sources of user information. In many cases, data breaches are followed by legal actions, as is the case with the Home Depot breach, where there are now multiple class-action suits against the retailer. Home Depot confirmed in September that it was the victim of a data breach that impacted 56 million consumers.
Is the victim of crime to be blamed for being a victim? In the FCC case against TerraCom and YourTel America, it would appear that the victim is the consumer. In the Home Depot case (and with other retail breaches), it’s still not yet publicly known where the full responsibility lies, though it is clear that a malicious attack led to the data breach.
There is a difference between an attack that yields information and an organization that leaves user information in the open. Securing information isn’t always easy, but organizations should be taking every reasonable step to make sure they’re doing the right thing to keep user information safe.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.