On April 8, 2015, the Federal Communications Commission (“FCC” or the “Commission”) Enforcement Bureau (“EB”) reached a $25 million consent decree with AT&T over privacy and data security breaches involving its customers’ proprietary information (“PI”) and customer proprietary network information (“CPNI”) at three of AT&T’s international call centers. Under the terms of the settlement, AT&T must implement a wide-ranging compliance plan, notify affected customers of the breach (and provide free credit monitoring services), and report any noncompliance or future breaches to the Commission.
As explained in more detail below, this settlement represents the latest in a growing trend in aggressive enforcement of the Commission’s privacy and data security rules. As the Commission continues to find new ways to apply its rules against carriers—and begins to implement its 2015 Open Internet Order against broadband Internet access service providers—providers should take steps to bring themselves (and their vendors) into compliance.
The consent decree stems from data breaches that occurred at AT&T customer call centers in Mexico, Colombia, and the Philippines between 2013 and 2014. Through its investigation, the FCC determined that call center employees had gained unauthorized access to CPNI and other personal information in a scheme to supply third parties with unlock codes for AT&T mobile phones. The Mexico breach affected 68,701 customer accounts, while the Colombia and Philippines breaches affected at least another 211,000 customer accounts.
In the consent decree, the Commission argues that AT&T’s conduct violated two provisions of the Communications Act of 1934—Section 201(b) and Section 222(c)—along with the Commission’s CPNI safeguards and breach reporting rules. As we explained in an earlier blog post, the Commission relied on Section 201(b) in its Notice of Apparent Liability against YourTel and TerraCom, which it issued late last year based on similar data breaches involving vendor security practices. The AT&T action is indicative of the Commission’s intent to continue using Section 201(b) to protect consumers’ personal information and require more stringent data security practices among communications companies.
Terms of the Consent Decree
Under the terms of the consent decree, AT&T agrees to pay a $25 million civil penalty, and to implement a wide-ranging compliance plan, which includes the following key elements:
- Risk Assessment. AT&T must perform a risk assessment to identify internal risks of PI or CPNI breaches by employees and vendors, and to evaluate the sufficiency of existing policies, procedures, and practices designed to protect against a data breach.
- Information Security Program. AT&T must establish a written information security program to protect against CPNI and PI breaches by employees and vendors. AT&T must keep this information security program up-to-date and address deficiencies and gaps as they appear. These provisions of the consent decree will remain in effect for seven years.
- Compliance Manual and Training. AT&T must develop and distribute a compliance manual to relevant employees and vendors (and the vendors’ employees) explaining Section 222, the FCC’s CPNI rules, the terms of the consent decree, and all operating procedures that employees and vendors’ employees must follow. As with the information security program, AT&T must periodically review and revise the compliance manual to ensure it is current and accurate. Further, AT&T must establish and implement a compliance training program to ensure compliance with Section 222, the CPNI rules, and the operating procedures.
In addition, with respect to the Colombia and Philippines breaches, AT&T must notify each affected customer about the breach, offer one year of complimentary credit monitoring services through a nationally recognized credit monitoring service, and provide a toll-free number where affected customers may contact AT&T with questions about the breaches. Moreover, AT&T must report any noncompliance with the consent decree, and any breaches of PI or CPNI involving any employees or vendor employees, to the Commission. Finally, AT&T must file period compliance reports to the Commission.
In a separate blog post on the Commission’s website, Kris Monteith, Acting Chief of the Consumer and Governmental Affairs Bureau, provided consumers with action items to protect them from theft of smart devices and personal information. Among other things, Monteith recommended that consumers set strong passwords or PINs, or to take advantage of biometric and fingerprint authentication technologies. Providers should consider communicating similar advice to their subscribers.
We don’t expect the Commission’s privacy and data security enforcement push to end any time in the near future. Quite the opposite. As the Commission notes in its press release announcing the consent decree, this action is its fifth major enforcement action—totaling over $50 million in penalties—in the last year related to consumer privacy and data security.
Further, as the Commission begins to implement its 2015 Open Internet Order, we expect the EB to seek out new and creative ways to stretch its privacy and data security authority against providers, both for the providers’ own actions, as well as those of their vendors (both here and abroad). Moreover, as the Commission embarks on its effort to draft privacy and data security rules for BIAS, we expect vigorous debate about how best to protect consumers without imposing undue or unwarranted burdens on providers.
As a result, providers interested in getting involved in these debates should continue to monitor developments and contact counsel for assistance. Additionally, all telecommunications and broadband providers alike should take affirmative steps to inventory their own data security policies, procedures, and practices, as well as those of their vendors, to ensure compliance with FCC rules and guidance.