That’s according to a recent Bloomberg piece: New Sheriff in Town: FCC Expands Its Reach to Data Security.
According to the story: “The Federal Communications Commission (FCC) entered the data security enforcement field in October, levying a $10 million fine against two telecommunications companies for failing to secure and protect their customers’ personal information. This is first time the FCC has used its authority to levy fines based on inadequate data security, and it has uncovered a divergence of views within the FCC about the agency’s own enforcement authority.”
This could have significant consequences in the near and long term. Certainly in the near term on telecommunication companies offering cloud services (email, file sync and share etc.), this could easily be adopted by other government agencies to impact other cloud providers.
“The FCC held that the companies’ alleged failure to secure personal information constituted a violation of the companies’ duty under Section 222(a) of the Communications Act (the Act) to protect such information, as well as an unjust and unreasonable practice in violation of Section 201(b) of the Act, “given that their data security practices lacked even the most basic and readily available technologies and security features and thus create[d] an unreasonable risk of unauthorized access.””
The authors go on to explain the overlap between the FCC and the FTC vis a vis data protection:
“…at the federal level, data privacy and security enforcement has long been primarily the domain of the FTC, with certain industry-specific authority held by other regulatory agencies. The FTC’s general authority to regulate consumer data privacy and security issues stems from Section 5(a)(1) of the FTC Act, which restricts “unfair or deceptive” trade practices —although the FTC also has enforcement authority with respect to other, more targeted privacy laws…”
I won’t quote the whole story, you should read it in its entirety, but the bottom line is that the government in the US is beginning to take data privacy very seriously. Businesses that have previously just averted their eyes to employee use of consumer-grade cloud services and hoped for the best, may now need to look at the problem in a new – and perhaps very expensive – light.