Wireless firms TerraCom, Inc. and YourTel have agreed to pay $3.5 million to settle Federal Communications Commission charges that the companies failed to protect the personal information of 300,000 consumers.
The FCC originally proposed a $10 million penalty in the notice of apparent liability issued last November.
According to the FCC’s investigation, the companies’ vendor stored consumers’ personal information on unprotected servers resulting in a data breach that exposed customers’ names, addresses, social security numbers, drivers’ licenses and other sensitive data.
As part of the consent decree the companies agreed to beef up their privacy and security practices and file regular compliance reports with the FCC for the next three years.
The settlement shows how serious the FCC and its aggressive enforcement bureau chief, Travis LeBlanc, are about stepping up privacy and data security enforcement. Under the FCC’s new open Internet order, the agency is expected to take even bigger steps into privacy enforcement.
“Privacy is not a secondary activity here,” FCC chairman Tom Wheeler said earlier this year at a Washington event.
The FCC spelled out a number of steps TerraCom and YourTel must take to improve privacy and security including making sure a senior corporate manager is a certified privacy professional, implementing a data breach response plan and maintaining stricter oversight of vendors.
The companies also agreed to notify all consumers whose information was compromised and provide complimentary credit monitoring services.
“Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” said LeBlanc.
The settlement also resolves an FCC investigation in YourTel’s failure to timely de-enroll Lifeline subscribers that were ineligible for the service between 2012 and 2013.