On November 6, 2015, the FCC’s Media Bureau released an Order denying a complaint filed by seven commonly controlled broadcast stations (collectively, “Northwest”) against DirecTV.  In the complaint, Northwest alleged that DirecTV violated its duty to negotiate retransmission consent in good faith by not sharing pricing information from recent negotiations to substantiate its positions that Northwest’s prices were above market levels following a request from Northwest.

Background.  The Communications Act and FCC rules obligate both broadcasters and multichannel video programming distributors (“MVPDs”) to negotiate their retransmission consent deals in good faith.  Under the FCC’s rules, parties may rely on a two-part test for violations:  (i) a list of per se violations, and (ii) a totality of the circumstances test under which the FCC looks at all relevant facts to determine whether a negotiating party acted in bad faith.  Moreover, while parties must explain their reasons for putting forth or denying a retransmission consent offer, FCC rules do not require them to substantiate or offer evidence to justify their bargaining positions. 

Northwest v. DirecTV.  DirecTV carried Northwest’s signals pursuant to a 2011 agreement set to expire in February 2015.  In 2014, the parties began negotiating a new agreement, and traded multiple carriage offers between November 2014 and May 2015.  At one point, Northwest provided DirecTV with data from over 15 retransmission consent agreements that it had entered into in 2015 (with identities of the MVPDs redacted) in an effort to establish a fair market value for its signals.  DirecTV refused to pay Northwest’s requested amount, claiming it was much higher than what it paid under other agreements, and also refused to provide similar data upon request to Northwest to substantiate this claim.

Denial of the Complaint.  Northwest argued that DirecTV’s refusal to disclose the amounts it pays to other broadcasters was a violation of both the per se and the totality of the circumstances tests.  First, Northwest complained that DirecTV committed a per se violation of the good faith rules by “unreasonably delaying negotiations” when it refused to provide the background information that Northwest requested.  Second, Northwest argued that DirecTV violated the totality of the circumstances test by not basing its price demands on “demonstrable market considerations” and by withholding facts about market conditions in an attempt to evade a true negotiation over prices. 

The Media Bureau rejected both of the broadcasters’ claims.  First, the Bureau found that DirecTV did not unreasonably delay negotiations when it refused to provide the facts requested by Northwest.  Next, the Bureau found that DirecTV did not act in bad faith under the totality of the circumstances test, as, under the good faith rules, negotiating entities need not substantiate or offer further evidence to justify their bargaining positions.  The Bureau specifically observed that disagreement over terms or rates, absent other factors, is not indicative of bad faith, nor does disagreement in this instance require one party to provide information supporting its position to the other party.

Note:  In denying the complaint, the Media Bureau pointed out that its resolution of this retransmission consent dispute has no bearing on the “substantiation” issue raised in the FCC’s pending rulemaking examining whether changes to its totality of the circumstances test are warranted as a result of marketplace changes.  In particular, the NPRM seeks comment on whether “an MVPD’s or broadcaster’s refusal to provide ‘information substantiating reasons for positions taken when requested in the course of bargaining’ violates the obligation to negotiate retransmission consent in good faith.”

If you have any questions about good faith retransmission consent negotiations, please Bruce Beard at (314) 394-1535 or bbeard@cinnamonmueller.com, or Scott Friedman or Jake Baldwin at (312) 372-3930 or sfriedman@cinnamonmueller.com or jbaldwin@cinnamonmueller.com.

FCC Adopts First Cable Privacy Enforcement Action

Cox Communications to Pay $595,000 for Violations

On November 5, 2015, the FCC’s Enforcement Bureau released an Order resolving its investigation into whether Cox Communications (“Cox”) had failed to properly protect the confidentiality of its customers’ proprietary information (“PI”), proprietary network information (“CPNI”), and personally identifiable information (“PII”).  Under the terms of the Consent Decree between the Bureau and Cox, Cox will pay a $595,000 civil penalty to settle the matter.

While this represents the Enforcement Bureau’s first cable privacy action, it is also the latest in a string of aggressive privacy enforcement actions, including a $25 million settlement with AT&T over breaches of its call centers and a $3.5 million settlement with TerraCom and YourTel over their failure to protect PI received from customers.  The FCC’s action against Cox, together with other recent privacy enforcement actions, serves as an important reminder for both cable and telecommunications providers to adopt and implement policies to protect their subscribers’ privacy. 

Background.  Cox provides cable, broadband, telecommunications, and home automation services.  On or about August 7, 2014, Cox’s data systems were breached by a member of the hacker group “Lizard Squad,” who pretended to be a Cox information technology employee (i.e., “pretexting,” where a perpetrator adopts the identity of a legitimate person or entity to obtain confidential information) to convince a contractor to enter her login information into a fake website controlled by the hacker.  With this access, the hacker was able to view PII and CPNI of some Cox subscribers, post subscribers’ personal information on social media sites, and change the passwords of some of the affected customers. 

Cox asserts that it learned of the breach on August 12, 2014.  Cox then investigated the incident, identified the source of the breach, and disabled the compromised access credentials.  On August 18, 2014, Cox directly contacted the FBI and cooperated with the subsequent investigation of the breach.  However, Cox did not disclose the CPNI breach via the FCC data breach reporting portal. 

Privacy Protections.  Under Section 631 of the Communications Act, cable operators must protect a subscriber’s PII—generally, information that could identify an individual subscriber, such as an address or phone number—from disclosure without the subscriber’s prior written consent and must take actions to prevent unauthorized access to this information. 

Section 222 imposes a similar but not identical duty on telecommunications carriers to protect customers’ CPNI.  The FCC has recently ruled in a series of decisions that Section 222 also imposes a duty to protect customers’ PI.  The Act doesn’t define “PI”, but in the Cox Consent Decree, and consistent with these other rulings, the Bureau defined it to mean either (1) a customer’s name in combination with a social security number, driver’s license or other government ID number, account number, or credit or debit card number and access code allowing access to financial accounts, or (2) a user name or email address along with a password or security question allowing access to an online account.  The Act defines CPNI as (1) information that relates to the quantity, configuration, type, destination, location, or amount of use of a telecommunications service and that is made available to the carrier solely by virtue of the carrier-customer relationship, and (2) information contained in telephone bills. The FCC’s rules require that telecommunications carriers and VoIP providers protect CPNI by taking reasonable measures to discover and protect against unauthorized access to CPNI.  The rules also require notification to law enforcement in the event of a breach of a customer’s CPNI.   

Lastly, the FCC has interpreted Section 201 of the Act to apply to communications services carriers’ data-security practices, requiring companies to employ just and reasonable practices to protect consumers’ PI.

FCC Enforcement Bureau Action.  The FCC’s Enforcement Bureau commenced an investigation into whether Cox (i) failed to properly protect customer information, (ii) failed to take reasonable measures to discover and protect against unauthorized access, (iii) failed to timely notify law enforcement of a CPNI breach, and (iv) engaged in unjust and unreasonable practices by failing to employ reasonable data security practices, failing to monitor for breached data online, and failing to notify all potentially affected customers of the breaches.

According to the Bureau, the disclosure of the data violated the Communications Act.  Relying on Sections 222 and 631, the Bureau stated that “Congress and the Commission have made clear that cable operators such as Cox must ‘take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.’”  Moreover, the Bureau emphasized that telecommunications carriers such as Cox “must take ‘every reasonable precaution’ to protect their customers’ data” and report CPNI breaches to law enforcement via the FCC portal within seven days.

Consent Decree.  Under the Consent Decree, Cox must pay a $595,000 fine, designate a compliance officer, take remedial measures to help alleviate the harm caused by the breach, and create and implement a comprehensive compliance plan including third-party oversight, risk assessment, an incident response plan, and review of its other privacy practices. 

If you have any questions about privacy compliance, please contact Scott Friedman at (312) 372-3930 or sfriedman@cinnamonmueller.com.