On Wednesday, April 8, the Federal Communications Commission (FCC) entered a consent decree and levied a $25 million civil penalty against AT&T to settle a data breach that exposed the information of nearly 280,000 customers.  This order comes on the heels of other recent FCC enforcement actions for privacy violations, demonstrating an invigorated effort by the FCC to “exercise its full authority” against companies that fail to secure customer data.

Until last week’s AT&T decision, the October 2014 enforcement decision against TerraCom and YourTel America was the FCC’s  largest privacy and data security action.  In that case, TerraCom and YourTel, which offered wireless and wireline voice services to lower income Americans through the Lifeline program, collected sensitive personal information from customers and potential customers to determine Lifeline eligibility.  This information, including Social Security numbers and evidence of participation in government assistance programs, was kept as unencrypted, readable text accessible via the Internet.  The discovery of this data prompted the FCC’s investigation.

The FCC’s enforcement was based on Section 222 of the Communications Act, as amended (the Act), which requires that telecommunications carriers “protect the confidentiality of proprietary information of … customers” (47 U.S.C. § 222(a)).  The regulatory enforcement of this provision most often arises in the context of a subset of that information known as “customer proprietary network information,” or CPNI.  CPNI is defined by statute (47 U.S.C. § 222(h)(1)) as that information that relates to a customer’s use of the telecommunications service and the billing information associated with that service.  In the TerraCom and YourTel case, the FCC took a significant step to require the protection of information beyond CPNI, holding that the Act’s protections extend to “all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy.”  While the FCC did not define specifically what data is included within the scope of its “personal privacy” protections, it did refer favorably to the National Institute of Standards and Technology’s definition of personally identifiable information, which includes all “information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.”  Having established that regulated entities have a duty to protect a customer’s private information, the FCC determined that TerraCom and YourTel breached that duty.  The FCC relied on its broad authority under Section 201(b) of the Act, which requires “just and reasonable” conduct, to find that the companies’ failure to use “even the most basic and readily available technologies and security features” was unjust and unreasonable.  The FCC issued a Notice of Apparent Liability against TerraCom and YourTel, and proposed an $8.5 million forfeiture.

The FCC followed this recent precedent in taking enforcement action against AT&T for its recent information security incident.  In this case, AT&T used third-party vendors located in Mexico, Colombia, and the Philippines to receive customer service calls.  The customer support representatives had access to sensitive customer data, and a small number of representatives in Mexico used login credentials to access AT&T customers’ names and the last four digits of their Social Security numbers.  These employees then used that customer data to submit online requests to unlock stolen AT&T handsets—totaling more than 290,000 unlock requests using data from more than 50,000 customers.  Meanwhile, representatives in Colombia and the Philippines accessed data from approximately 211,000 customers.  Just as in TerraCom and YourTel, no CPNI was compromised by the AT&T breach.  Instead, the FCC has again undertaken enforcement action based on the disclosure of “personal information,” this time resulting in a $25 million civil penalty and mandatory compliance and monitoring plans lasting up to seven years.

With two major enforcement actions in seven months, the FCC has asserted a major role in enforcing consumer protections for data security.  While we have become accustomed to seeing the Federal Trade Commission examining a company’s privacy and security practices, the FCC has now shown a willingness to undertake a similar review of companies within its jurisdiction.  Many telecommunications providers are accustomed to the high standards required for protecting CPNI, but the breadth of the FCC’s recent enforcement actions has multiple implications for all regulated entities.

First, it is no coincidence that these recent enforcement actions have resulted from the actions of third-party vendors (nor is it a coincidence that many hacking incidents, such as the Target hack, have stemmed from vendors connecting to a company’s network).  While there is no avoiding the use of vendors, a comprehensive data security plan needs to include a thorough examination (and regular reexaminations) of vendor security practices, particularly when confidential information is accessible. 

Second, the FCC’s 2015 Open Internet Order held that all broadband Internet access service providers are subject to the same Section 222 privacy requirements enforced in these recent actions.  While the FCC also decided that its implementing rules do not (yet) apply, broadband ISPs seem destined for similar (if not the same) privacy standards as were applied here.

Third, the FCC’s Communications Security, Reliability and Interoperability Council recently released a Cybersecurity Risk Management and Best Practices Report for the communications industry.  While we will have much more to say about this report in a future blog post, it is worth noting that data security “best practices” often quickly evolve into basic standards of care.  Presuming the FCC’s enforcement actions in this space continue, expect standards like these to play a role in determining whether a company has satisfied its statutory requirements of protecting customer data.