In the third privacy-related enforcement action of the year, the FCC Enforcement Bureau entered into a $595,000 settlement with Cox Communications to resolve an investigation into the company’s loss of customer personal data. The settlement represents the FCC’s first privacy and data security enforcement action against a cable operator. The Enforcement Bureau Order highlights the need for cable and telecommunications companies to review and update current privacy and data protection practices, including third party vendor agreements and employee training practices.
The enforcement action stems from a data breach incident in August of 2014 involving a form of social engineering called “pretexting” in which an individual tricks another party into divulging confidential information. In the instant case, a third party pretended to be from Cox’s information technology department and convinced a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake website. The individual was then able to use the credentials to access the personally identifiable information (“PII”) and customer proprietary network information (“CPNI”) of Cox customers. Breached information included confidential information such as names, home addresses, email addresses, phone numbers, partial social security numbers, partial driver’s license numbers, and telephone customers’ account information. The Commission noted that a lack of technical safeguards, such as multi-factor authentication, contributed to the individual’s ability to access the information. The breach resulted in the hacker posting the PII of at least eight individuals on social media sites, changing the passwords of at least 28 customers and sharing customer PII with another hacker. The Commission noted that Cox failed to report the customer data breaches through the Commission’s breach-reporting portal.
The Commission emphasized that the Communications Act requires cable operators to “take such actions as are necessary to prevent unauthorized access to [PII] by a person other than the subscriber or cable operator.” Moreover, as a telecommunications provider pursuant to the 2015 Open Internet Order, Cox must “take every reasonable precaution” to protect customer data and is required to disclose CPNI breaches to the Commission via the FCC’s breach-reporting portal within seven (7) business days after “reasonable determination” of a breach in order to notify the U.S. Secret Service and FBI.
As part of the settlement, Cox will be required to: (1) pay a civil penalty of $595,000; (2) designate a senior corporate manager who is a certified privacy professional; (3) conduct privacy risk assessments; (4) implement a written information security program; (4) maintain reasonable oversight of third party vendors, including requiring multi-factor authentication; (5) develop a “more robust data breach response plan;” and (6) train its employees and third-party vendors in privacy and security awareness. Cox must also identify all customers involved in the data breach, notify them of the breach, and provide them with free credit monitoring.