On April 8, 2015, the FCC announced it has agreed to a $25 million settlement with AT&T following an investigation into consumer privacy violations at AT&T call centers. According to the FCC release, AT&T improperly disclosed the personal information of approximately 280,000 U.S. customers when employees at internationally-based call centers accessed customer records without authorization. The employees, based in Mexico, Colombia and the Philippines, accessed and then distributed private customer information such as Social Security numbers and names to unauthorized third parties trafficking in stolen cell phones or secondary market phones.
The violations were first discovered in May 2014, when investigators learned of breach originating from AT&T’s call center in Mexico between November 2013 and April 2014. During this period, the FCC reports that employees were paid for customer information that could be used to submit online requests for cellular handset unlock codes. Subsequent violations were discovered in Colombia and the Philippines.
The investigation and enforcement action arose out of AT&T’s failure to, among other things, reasonably secure customer personal information in violation of a “carrier’s” duty under Section 222 of the Communications Act. As noted by the release, the Commission expects telecommunications carriers to a) take “every reasonable precaution” to protect customer data and b) take reasonable measures to discover, report, and protect against attempts to access customer personal information without authorization.
All told, the settlement requires AT&T to:
- Pay a $25 million civil penalty
- Notify all customers whose accounts were improperly accessed
- Pay for credit monitoring service for all customers affected by the breaches in Colombia and the Philippines
- Improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional
- Conduct a privacy risk assessment
- Implement an information security program
- Prepare an “appropriate” compliance manual
- Regularly train employees on privacy policies and applicable legal authorities
This is the largest privacy and data security enforcement action ever initiated by the FCC. Overall, within the last year, the FCC has instituted five major enforcement actions valued at over $50 million arising from customer privacy and data security violations.
Even if your business is not subject to FCC oversight, the investigation and enforcement action should attract your attention, especially in light of the fact that there is a market for your customers’ private information. Steps, such as those outlined above, can mitigate an organization’s exposure to an unauthorized disclosure.