On November 5, 2015, the Federal Communications Commission (“FCC” or “Commission”) issued its first ever privacy or data security enforcement order against a cable provider, Cox Communications, Inc. (“Cox”). The order adopted a consent decree entered into with the company, fining the company $595,000 for the breach. The order sets out that in August 2014, a hacker used social engineering tactics, or “pretexting,” to impersonate someone from Cox’s information technology department in a phishing scheme to successfully convince a Cox contractor to enter an account ID and password into a fake website which the hackers controlled. Without multi-factor authentication in place for the targeted systems, the hacker and an accomplice were able to use those captured credentials to obtain the personal information and /or Customer Proprietary Network Information (“CPNI”) of 54 current and seven former customers. Cox notified the FBI of the breach, but did not notify the FCC through the Commission’s breach-reporting portal.
The Enforcement Bureau launched an investigation to determine whether Cox:
- Failed to properly protect the confidentiality of Customers’ personally identifiable information;
- Failed to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI;
- Failed to provide timely notification to law enforcement of a CPNI breach; and
- Engaged in unjust and unreasonable practices by:
- Failing to employ reasonable data security practices to protect proprietary information and CPNI, and failing to monitor for Customers’ breached data online; and
- Failing to notify all potentially affected Customers of the breach.
The Enforcement Bureau premised its enforcement action on Section 631 of the Communications Act, 47 U.S.C. § 551, which limits access and disclosure to cable service customers’ personally identifiable information. The consent decree also cited Section 222 of the Communications Acts, 47 U.S.C. § 222, which requires telecommunications carriers to protect CPNI and, according to the FCC, other personal information.
In publicizing the consent order, the FCC expounded on the harms suffered by customers in a breach of this nature. Enforcement Bureau Chief Travis LeBlanc explained that “[t]his investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.” Under the terms of the consent decree, Cox will pay a civil penalty of $595,000. Perhaps more costly in the long run, Cox also agreed to a compliance plan that includes significant detailed requirements to remediate the breach and develop a robust privacy and information security compliance and training program, including to:
- Designate a senior corporate manager as a Compliance Officer and have that individual work with the Chief Information Security Officer and the Chief Privacy Officer (who shall be privacy certified by an industry-certifying organization and keep current through continuing privacy education courses) to discharge the duties of the consent decree;
- Conduct a risk assessment by December 31, 2016—and biennially thereafter—to identify internal and external risks to the security, confidentiality, and integrity of the PI/CPNI collected or maintained by Cox;
- Review and revise its information security program within 150 days and ensure that the program is documented in writing and includes reasonable administrative, technical and physical safeguards; reasonable measures to protect PI/CPNI collected by “covered third parties” (i.e., Cox contractors); and put in place proper policies and procedures to identify the nature and extent of CPNI and PI collected and minimize access to such data.
- Conduct annual audits of selected call center systems and processes to ensure compliance with privacy laws and the consent decree;
- Require all off-network access by contractors with access to PI/CPNI to be authenticated through an approved site-to-site virtual private network by December 31, 2016;
- Review and revise its incident response plan and conduct annual test exercises of the plan;
- Provide remediation with respect to the breach that includes ensuring that each affected customer has been properly notified and receives a one year complimentary credit monitoring service; and
- The obligations of the consent decree terminate at the end of three, six or seven years, depending on the compliance requirement at issue.
The FCC enforcement action is representative of a few important trends at the Commission. First, as has been widely reported in the media, the Enforcement Bureau has recently become much more aggressive in its enforcement activity, including extracting sizable fines and paying close attention to cybersecurity. Second, the action against Cox represents the FCC’s first privacy and data security action against a cable operator. Third, following issuance of the Open Internet Order, the Commission has signaled its intention to pursue alleged privacy violations related to broadband Internet access service providers, which include many cable operators, such as Cox. Cox and other broadband Internet access service providers were reclassified as telecommunications carriers, and therefore subject to Section 222 of the Communications Act, by the Open Internet Order. However, the FCC did not expressly state that personal information of Cox’s Internet customers was covered by the Order. In the press release accompanying the Order, the FCC indicated that the CPNI at issue in the breach concerned Cox’s telephone customers, and that the hackers also accessed personal information of the company’s cable customers. The FCC made no specific reference to Cox’s Internet customers.