FCC Imposes Record Penalty for Data Breach

by Latham & Watkins LLP
Contact

On Wednesday, April 8, the Federal Communications Commission (FCC) entered a consent decree and levied a $25 million civil penalty against AT&T to settle a data breach that exposed the information of nearly 280,000 customers.  This order comes on the heels of other recent FCC enforcement actions for privacy violations, demonstrating an invigorated effort by the FCC to “exercise its full authority” against companies that fail to secure customer data.

Until last week’s AT&T decision, the October 2014 enforcement decision against TerraCom and YourTel America was the FCC’s  largest privacy and data security action.  In that case, TerraCom and YourTel, which offered wireless and wireline voice services to lower income Americans through the Lifeline program, collected sensitive personal information from customers and potential customers to determine Lifeline eligibility.  This information, including Social Security numbers and evidence of participation in government assistance programs, was kept as unencrypted, readable text accessible via the Internet.  The discovery of this data prompted the FCC’s investigation.

The FCC’s enforcement was based on Section 222 of the Communications Act, as amended (the Act), which requires that telecommunications carriers “protect the confidentiality of proprietary information of … customers” (47 U.S.C. § 222(a)).  The regulatory enforcement of this provision most often arises in the context of a subset of that information known as “customer proprietary network information,” or CPNI.  CPNI is defined by statute (47 U.S.C. § 222(h)(1)) as that information that relates to a customer’s use of the telecommunications service and the billing information associated with that service.  In the TerraCom and YourTel case, the FCC took a significant step to require the protection of information beyond CPNI, holding that the Act’s protections extend to “all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy.”  While the FCC did not define specifically what data is included within the scope of its “personal privacy” protections, it did refer favorably to the National Institute of Standards and Technology’s definition of personally identifiable information, which includes all “information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”  Having established that regulated entities have a duty to protect a customer’s private information, the FCC determined that TerraCom and YourTel breached that duty.  The FCC relied on its broad authority under Section 201(b) of the Act, which requires “just and reasonable” conduct, to find that the companies’ failure to use “even the most basic and readily available technologies and security features” was unjust and unreasonable.  The FCC issued a Notice of Apparent Liability against TerraCom and YourTel, and proposed an $8.5 million forfeiture.

The FCC followed this recent precedent in taking enforcement action against AT&T for its recent information security incident.  In this case, AT&T used third-party vendors located in Mexico, Colombia, and the Philippines to receive customer service calls.  The customer support representatives had access to sensitive customer data, and a small number of representatives in Mexico used login credentials to access AT&T customers’ names and the last four digits of their Social Security numbers.  These employees then used that customer data to submit online requests to unlock stolen AT&T handsets—totaling more than 290,000 unlock requests using data from more than 50,000 customers.  Meanwhile, representatives in Colombia and the Philippines accessed data from approximately 211,000 customers.  Just as in TerraCom and YourTel, no CPNI was compromised by the AT&T breach.  Instead, the FCC has again undertaken enforcement action based on the disclosure of “personal information,” this time resulting in a $25 million civil penalty and mandatory compliance and monitoring plans lasting up to seven years.

With two major enforcement actions in seven months, the FCC has asserted a major role in enforcing consumer protections for data security.  While we have become accustomed to seeing the Federal Trade Commission examining a company’s privacy and security practices, the FCC has now shown a willingness to undertake a similar review of companies within its jurisdiction.  Many telecommunications providers are accustomed to the high standards required for protecting CPNI, but the breadth of the FCC’s recent enforcement actions has multiple implications for all regulated entities.

First, it is no coincidence that these recent enforcement actions have resulted from the actions of third-party vendors (nor is it a coincidence that many hacking incidents, such as the Target hack, have stemmed from vendors connecting to a company’s network).  While there is no avoiding the use of vendors, a comprehensive data security plan needs to include a thorough examination (and regular reexaminations) of vendor security practices, particularly when confidential information is accessible. 

Second, the FCC’s 2015 Open Internet Order held that all broadband Internet access service providers are subject to the same Section 222 privacy requirements enforced in these recent actions.  While the FCC also decided that its implementing rules do not (yet) apply, broadband ISPs seem destined for similar (if not the same) privacy standards as were applied here.

Third, the FCC’s Communications Security, Reliability and Interoperability Council recently released a Cybersecurity Risk Management and Best Practices Report for the communications industry.  While we will have much more to say about this report in a future blog post, it is worth noting that data security “best practices” often quickly evolve into basic standards of care.  Presuming the FCC’s enforcement actions in this space continue, expect standards like these to play a role in determining whether a company has satisfied its statutory requirements of protecting customer data.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.