The FISMA Focus IPD

In the wake of the Federal Communications Commission’s (“FCC’s”) first-ever foray last October into fining companies over data security practices, the agency’s Enforcement Bureau Chief, Travis LeBlanc, asserted that the agency “will not tolerate” conduct that, in the agency’s view, “puts American consumers at risk of financial fraud and identity theft.” Thus, said LeBlanc at the time, while that action was the agency’s first in the data security space, “it will not be the last.”

Now, six months later, the FCC has followed through on that warning with a $25 million settlement with AT&T. This fine, the largest for privacy or data security violations in the agency’s history, confirms that it intends to aggressively claim authority over privacy and data security practices. Nor does this new assertion of authority appear to be focused solely on companies traditionally thought to be within FCC jurisdiction. With the agency’s recent classification of broadband Internet access as a telecommunications service through its Open Internet Order and other signals of intent to expand the reach of communications laws (including those relating to privacy), a number of new practices are now apparently within the FCC’s sights.