Under Barack Obama, the Federal Communications Commission has walked away from any sense of enforcing traditional broadcast decency, a dramatic change from the Janet Jackson “wardrobe malfunction” drama of 2004. Two years ago, the courts consented to the broadcast networks’ demands that indecency is an outdated notion. (Liberals want to redefine broadcast obscenity as words like "Redskins.")
But FCC fines are breaking out in a brand new area. Brian Fung reported in The Washington Post on Saturday that the FCC suddenly levied a $10 million dollar find against two telecom companies for violating the privacy of government-favored customers – “poor Americans” getting telephone subsidies – by leaving their “data online without firewalls, encryption or password protection.”
The two companies, YourTel America and TerraCom, share the same owners and management. From September 2012 to April 2013, the FCC said, the companies collected information online from applicants to Lifeline, the government's telephone subsidy program for poor Americans. To prove their eligibility, potential customers are asked for personal information, including Social Security numbers, dates of birth, addresses, names and drivers' license numbers.
Rather than store this data securely or destroy it after they were done proving eligibility, according to the FCC, the companies kept the information on publicly accessible Internet servers. When reporters for the Scripps Howard News Service stumbled on the data with a simple Google search, they reported on the lax security and notified the FCC. As many as 300,000 customers may have been affected by the unsecured data, the FCC said.
These companies "made their customers' personal, sensitive information publicly accessible to all the world via the Internet," said Travis LeBlanc, the FCC's top enforcement official. "This is unacceptable. … This is the first data security enforcement action [by the FCC], but it will not be the last."
The Post story did not include any dissenting statements for this sudden regulatory shift, but Republican FCC appointee Ajit Pai certainly cried foul:
A core principle of the American legal system is due process. The government cannot sanction you for violating the law unless it has told you what the law is. In the regulatory context, due process is protected, in part, through the fair warning rule. Specifically, the D.C. Circuit has stated that “[i]n the absence of notice—for example, where the regulation is not sufficiently clear to warn a party about what is expected of it—an agency may not deprive a party of property.” Thus, an agency cannot at once invent and enforce a legal obligation.
Yet this is precisely what has happened here. In this case, there is no pre-existing legal obligation
to protect personally identifiable information (also known as PII) or notify customers of a PII data breach to enforce. The Commission has never interpreted the Communications Act to impose an enforceable duty on carriers to “employ reasonable data security practices to protect” PII....Nevertheless, the Commission asserts that these companies violated novel legal interpretations and never-adopted rules. And it seeks to impose a substantial financial penalty. In so doing, the Commission runs afoul of the fair warning rule. I cannot support such “sentence first, verdict afterward” decision-making.