On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.

In addition to the $25 million civil penalty, the Consent Decree requires AT&T to:

  • notify all affected customers;
  • pay for credit monitoring services for customers who were affected by the breaches in Colombia and the Philippines;
  • bolster its privacy and data security practices, including by appointing a senior compliance manager, conducting a privacy risk assessment, implementing an information security program, and training employees on its privacy policies; and
  • file regular compliance reports with the FCC.

This settlement is the FCC’s largest privacy and data security enforcement action to date and according to FCC Chairman Tom Wheeler, demonstrates that “the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”