In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.”
The initial focus of the FCC’s investigation was a 168-day breach at AT&T’s call center in Mexico that began in November 2013. Three employees at the Mexico call center accessed 68,701 customer accounts without authorization, obtaining customer information such as names and partial social security numbers that they then sold to third party buyers. The third party buyers, who appear to have been trafficking stolen cell phones, submitted 290,803 handset unlock requests through AT&T’s online customer unlock request portal. In accessing the customer names and social security information, the rogue employees also accessed customer proprietary network information, or CPNI, which appeared on the same account pages.
During the investigation into the breach at the Mexico call center, AT&T informed the FCC that it had discovered additional breaches at call centers in Colombia and the Philippines. AT&T reported that 40 employees in Colombia and the Philippines had accessed customer names, telephone numbers, and social security numbers, accessing approximately 211,000 customer accounts.
The FCC alleged that AT&T had violated Section 222 of the Communications Act, which requires telecommunications carriers to take every reasonable precaution to protect customer data, including CPNI, as well as Section 201(b) of the Act, which prohibits unjust and unreasonable practices. Rules promulgated under Section 222 require carriers to take reasonable measures to discover, report and protect against attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.”
AT&T notified the U.S. Secret Service and the FBI of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation. Throughout 2014, AT&T took a series of steps to mitigate the breach, including notifying customers whose information had been accessed at the Mexico call center, notifying the California Attorney General under California state law, terminating its relationship with the Mexico call center, investigating its call centers in Colombia and the Philippines, implementing measures to mask full social security numbers in its call center systems, developing new monitoring procedures to identify suspicious account access, and changing its unlock policy so that customers were no longer required to provide personal information in order to receive an unlock code.
AT&T’s settlement agreement with the FCC requires it to implement permanent policies that reach far beyond these initial steps. In addition to the $25 million fine, AT&T must institute a strict compliance plan that includes the following measures:
- designation of a senior compliance manager who is a certified privacy professional;
- completion of a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
- implementation of an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
- preparation of an appropriate compliance manual to be distributed to all covered employees and vendors; and
- regular training of employees on privacy policies and applicable privacy legal authorities.
AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.
In addition, AT&T agreed to certain terms specific to the violations in Colombia and the Philippines, including providing all affected customers with written notice of the breach, offering one year of complimentary credit monitoring services, and establishing a toll-free number for questions regarding the breach.
While this is the largest action the FCC has taken to date, it is consistent with a trend of active enforcement over the past year. In October 2014, the FCC fined TerraCom, Inc. and YourTel America, Inc. $10 million for allegedly placing the personal data of up to 300,000 consumers at risk by storing social security numbers, names, addresses, driver’s licenses, and other personal information on unprotected Internet servers that “anyone in the world” could access. In the last year the FCC has taken five major enforcement actions related to privacy and data security valued at over $50 million.
The FCC has warned that it intends to intensify scrutiny of privacy and data security practices under Sections 222 and 201. It attributes its “heightened interest” in pursuing data security regulation, which traditionally fell under the purview of the Federal Trade Commission, to the increased prevalence of mobile devices. Telecommunications carriers, broadband providers, and other companies with a stake in mobile data security should view the compliance requirements in the AT&T settlement as a set of best practices for protecting consumers’ personal information.