Experian Data Breach: Regulatory War or Peace?
Following yesterday’s news that Experian Plc, the world’s largest consumer credit monitoring firm, suffered a massive data breach, exposing the personal information of some 15 million people, the post-breach fall out has already started. The Connecticut Attorney General’s office has announced that is launching an investigation into the breach. But that’s just the beginning as two federal agencies -- the Federal Trade Commission and Federal Communications Commission – now sit front and center in what will either become a regulatory tug-of-war or textbook example of inter-agency cooperation.
Experian is the vendor for international telecommunications provider T-Mobile USA Inc. and processed credit checks for T-Mobile’s customers, whose stolen information includes names, addresses, birth dates, driver’s license numbers and social security numbers.
The consumer data compromised by the Experian breach sits squarely at the intersection of two separate federal regulatory agencies: the Federal Trade Commission, charged with protecting consumers from unfair or deceptive trade practices, and the Federal Communications Commission, the agency with statutory authority to ensure that telecommunications companies protect their customer information.
The FTC enforces consumer protection under Section 5 of the FTC Act, and most recently, in Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit Court of Appeals affirmed the FTC’s broad authority to take action against private sector companies that fail to take adequate steps to protect customer data. Since 2005, the FTC has settled 53 cases against companies relating to data security issues.
But the FCC has also started to flex its enforcement muscles of late. Section 222(a) of the Communications Act of 1934 imposes a duty on carriers “to protect the confidentiality of proprietary information of, and relating to … customers.” Similarly, Section 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices in holding its customer's proprietary information.
The FCC hasn’t been shy about starting to use that authority. In April 2015, the FCC reached a $25 million settlement with AT&T Inc. over a consumer data breach at several of its call centers. The breaches led to the disclosure of customer names, social security numbers and account information. The AT&T settlement is by far the largest FCC data security enforcement to date, eclipsing the FCC’s $10 million fine on TerraCom and YourTel for consumer privacy breaches in October 2014.
And the timing of the Experian breach couldn’t be more ironic. Yesterday morning – just hours before the Experian news was disclosed – enforcement officials from both the FTC and FCC sat center stage at the International Association of Privacy Professional’s conference in Las Vegas, talking about inter-agency cooperation and the “complementary roles” of these two federal agencies.
Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, called any perceived rivalry between the two agencies “fiction,” and explained that their roles are “quite different and not overlapping.” FTC jurisdiction is broad and generally covers all industries except banks, non-profits or telecommunications companies. In explaining her agency’s top priorities, she focused on the sale of sensitive information to data brokers.
The FCC’s Chief of Enforcement, Travis LeBlanc, also spoke about data security and recent fines imposed on telecommunications companies related to data breaches and likewise stressed the issue of inter-agency cooperation.
The Experian hack will likely challenge the thesis that federal agencies can work together on data breaches. The information compromised by hackers falls in the laps of both the FTC and FCC. But whether it’s a turf war or actions are put behind the words both Rich and LeBlanc so passionately delivered yesterday will now be tested.
We’ll continue to cover this developing story.