The FCC flexes its privacy muscles

[Commentary] Earlier in Nov, Cox Communications agreed to pay $595,000 and enter into a seven-year consent decree with the Federal Communications Commission to settle a case involving a hack that exposed the data of 61 Cox customers. This was the FCC's first privacy and data security enforcement action against a cable operator and is likely to reinforce concerns about the FCC's new authority in this area and how it will be implemented. Normally, privacy and data security matters are the domain of the Federal Trade Commission, which has substantial experience in the area. However, the FTC does not have jurisdiction over common carriers, which broadband providers now are thanks to the FCC's Open Internet Order. That order reclassified broadband providers as Title II common carriers, and thus shifted privacy and data security enforcement for these companies from the FTC to the FCC, which has much less experience in these matters. This lack of experience shows in the FCC's inaugural enforcement action.

In the future, the FCC should provide evidence that its enforcement actions yield positive net benefits. It seems unlikely that the way to do that is to apply a de facto strict liability standard to a company that was the victim of a security breach potentially affecting 0.001 percent of its customers (with minimal costs even to them), acted quickly to limit its effects and worked with law enforcement to apprehend the perpetrators.

[Thomas Lenard is president and senior fellow at the Technology Policy Institute]