Last Thursday, the Federal Communications Commission (“FCC”) announced that it had entered into a Consent Decree with Cox Communications, Inc. (“Cox”) to resolve an investigation into whether the cable company had failed to properly (1) protect the confidentiality of its customers’ “proprietary information,” customer proprietary network information (“CPNI”), and personally identifiable information, and (2) notify law enforcement about a breach of CPNI.1 This Consent Decree is the FCC’s third data securityrelated settlement this year, and the first such settlement with a cable company.2
The Cox Consent Decree
According to the Order adopting the Consent Decree, in August 2014, a hacker infiltrated Cox’s electronic data systems and wrongfully accessed customer data, including customers’ names, home addresses, email addresses, phone numbers, partial Social Security numbers, drivers’ license numbers, and other accountrelated data. The hacker posed as a Cox information technology employee and convinced a Cox service representative and a Cox contractor to enter their account numbers and passwords into a fake website that the hacker controlled, allowing the hacker to use the Cox employees’ credentials to access Cox’s systems and obtain customers’ data. The hacker then posted data about at least eight customers on social media, changed the passwords of at least 28 customers, and shared customers’ personal information with another alleged hacker. Cox did not report the breaches through the FCC’s breachreporting portal. The FCC initiated an investigation into whether Cox had violated Sections 201(b) and 222(a) of the Communications Act by its failure to protect this information and notify the FCC.3 To settle the matter, Cox agreed to pay a civil penalty of $595,000 and develop and implement a compliance plan to protect customers from data breaches in the future.
FCC Imposes Detailed Data Security Requirements
The Cox Order is significant, because it requires the cable provider to include in its data security compliance plan numerous specific technical requirements that the previous two data security settlements did not include. Specifically, the Order directs Cox to develop and implement a compliance plan that, among many other things, requires Cox to do the following:
- Monitor critical points within Cox’s infrastructure that contain proprietary information and CPNI by taking information feeds from industry sources and internal detection tools and correlating these information sources to alert Cox’s security monitoring center when a potential event has occurred;
- Conduct annual penetration testing of systems and processes related to payment cards and the collection and storage of personal information and CPNI;
- Develop procedures for internal threat monitoring that includes detection of anomalous conduct by employees;
Require all off network access by third parties with access to Cox customers’ personal information and CPNI to be authenticated through an approved sitetosite virtual private network; and
Conduct an assessment, with a third party consulting firm, to identify additional twofactor authentication opportunities, and by the end of the first quarter of 2016, migrate all third parties that have access to Cox customers’ personal information and CPNI through remote access Citrix platforms to a twofactor authentication solution.
By imposing such numerous and specific technical requirements on providers, the FCC is taking a very different approach to data security than the Federal Trade Commission (“FTC”) has taken. The FTC, which historically has been the principal federal agency responsible for policing companies’ data security practices, typically requires companies to adopt a compliance program for which the FTC provides a highlevel framework. The FTC’s framework generally includes overarching requirements to conduct a risk assessment, design and implement reasonable safeguards to control the risks, implement procedures to select vendors that are capable of maintaining such safeguards, and regularly evaluate and adjust the program as necessary.
An Emerging Data Security Standard of Care?
The FCC’s approach in the Cox settlement also is contrary to the approach that the FCC is purporting to take in the cybersecurity context. There, the FCC has supported the industryled efforts of the Communications, Security, Reliability and Interoperability Council (“CSRIC”). Industry representatives recently worked through CSRIC to map the NIST cybersecurity framework to carriers’ businesses and unique risk profiles in order to develop procedures to protect communications infrastructure from cybersecurity threats. The FCC’s posture in that context is consistent with the Obama administration’s assurances that the NIST cybersecurity framework would not establish a cybersecurity standard of care for industry. The FCC’s approach in its recent settlements, however, threatens to do just that for data security.
Any communications company subject to FCC jurisdiction should watch these developments closely, review and update their data security programs as appropriate, and ensure that they have adopted certain data security safeguards, such as twofactor authentication, remote access controls, and internal monitoring to detect anomalous activity.